US20150121078A1 - Apparatus, systems and methods for agile enablement of secure communications for cloud based applications - Google Patents
Apparatus, systems and methods for agile enablement of secure communications for cloud based applications Download PDFInfo
- Publication number
- US20150121078A1 US20150121078A1 US14/063,950 US201314063950A US2015121078A1 US 20150121078 A1 US20150121078 A1 US 20150121078A1 US 201314063950 A US201314063950 A US 201314063950A US 2015121078 A1 US2015121078 A1 US 2015121078A1
- Authority
- US
- United States
- Prior art keywords
- cloud
- wildcard
- security certificate
- certificate
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 82
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012545 processing Methods 0.000 claims description 7
- 238000007726 management method Methods 0.000 description 16
- 230000008520 organization Effects 0.000 description 7
- 230000000694 effects Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000002131 composite material Substances 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 108020001568 subdomains Proteins 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 230000003116 impacting effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000033772 system development Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/006—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/64—Self-signed certificates
Definitions
- the present invention relates to the field of distributed computing and in particular, to apparatus, systems, and methods to facilitate secure communications for cloud-based applications.
- a physical networked cluster of computers is often referred to as a “cloud” or “cloud infrastructure” or simply an infrastructure.
- the underlying physical hardware associated with clouds which can include servers, memory, storage, and network resources, may be viewed as virtualized units. These virtualized units represent some fraction of the underlying computing hardware or resources supported by the cloud. Therefore, from a logical perspective, clouds may be viewed as a collection of virtual machines (“VMs”).
- VMs virtual machines
- a “cloud node” or “node” may be responsible for the control and operation of one or more VMs, and there may be several nodes per cloud.
- a cloud may provide a variety of VM types with different computing (CPU), memory, storage, networking, and Operating System (OS) options.
- CPU computing
- OS Operating System
- Clouds may be viewed as services that provide access to infrastructure remotely, including compute, storage and network resources, so that the resources can be reserved, provisioned, accessed and released programmatically.
- programmatic interfaces such as Application Programming Interfaces (APIs), System Development Kits (SDKs), Web Services, etc. may be used to access resources made available by clouds remotely over a wide-area network (WAN).
- WAN wide-area network
- APIs Application Programming Interfaces
- SDKs System Development Kits
- Web Services etc.
- WAN wide-area network
- these resources can be accessed programmatically over the Internet and are made available as VMs on a pay-per-use basis.
- Cloud-computing infrastructures offer several benefits over fixed on-premise datacenters, server farms, desktop computers, etc (collectively referred to as “organizational infrastructure”) including the capability to dynamically spawn or tear down a large number of VMs rapidly.
- organizational infrastructure hypertext transfer protocol secure
- https Secure Sockets Layer
- TLS Transport Layer Security
- a method may comprise instantiating a first Virtual Machine (VM) associated with a cloud based application on a cloud infrastructure, wherein the first VM is dynamically configured with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and registering, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.
- VM Virtual Machine
- IP Internet Protocol
- the method may be implemented using a virtual appliance configured with the security certificate and wherein the virtual appliance instantiates the first VM.
- the method may be implemented using a cloud agnostic service.
- the cloud agnostic service may take the form of an infrastructure independent representation that is implemented by utilizing at least one cloud specific implementation of the infrastructure independent representation of the cloud agnostic service, and wherein the at least one cloud-specific implementation of the cloud agnostic service corresponds to the cloud infrastructure.
- the domain name server may take the form of a DNS authoritative name server for a domain corresponding to the Common Name.
- the domain name server may be a second VM running on the cloud infrastructure.
- the wildcard security certificate may be a X.509 based certificate, such as a wildcard Secure Sockets Layer (SSL) or wildcard Transport Layer Security (TLS) certificate.
- the method may further comprise determining an expiry date associated with the wildcard security certificate.
- the method may further comprise dynamically obtaining a new wildcard security certificate specifying the Common Name upon detecting that the wildcard security certificate has expired; or dynamically obtaining a new security certificate security certificate specifying the Common Name upon detecting that the period for expiry of the wildcard security certificate is within a threshold.
- the newly obtained wildcard security certificate may be dynamically installed on the first VM.
- Disclosed embodiments also pertain to an apparatus comprising at least one processing system coupled to a cloud-based infrastructure, the at least one processing system comprising a secure communication module, wherein the secure communication module is configured to: dynamically configure a first VM with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and register, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.
- IP Internet Protocol
- the secure communication module may form part of a virtual appliance configured with the security certificate and wherein the virtual appliance instantiates the first VM.
- the secure communication module may be further configured to dynamically determine an expiry date associated with the wildcard security certificate. Further, the secure communication module may be configured to perform at least one of: dynamically obtaining a new wildcard security certificate specifying the Common Name upon detecting that the wildcard security certificate has expired; or dynamically obtaining a new security certificate security certificate specifying the Common Name upon detecting that the period for expiry of the wildcard security certificate is within a threshold.
- Disclosed embodiments also pertain to an apparatus comprising at least one processing means, the processing means coupled to cloud-based infrastructure means, wherein the at least one processing means comprises a secure communication means, wherein the secure communication means further comprises: means to dynamically configure a first VM with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and means for registering, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.
- IP Internet Protocol
- Disclosed embodiments also pertain to a computer-readable medium comprising instructions, which when executed by a processor, perform steps in a method comprising: instantiating a first Virtual Machine (VM) associated with a cloud based application on a cloud infrastructure, wherein the first VM is dynamically configured with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and registering, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.
- VM Virtual Machine
- IP Internet Protocol
- Embodiments also relate to software, firmware, and program instructions created, stored, accessed, or modified by processors using computer-readable media or computer-readable memory.
- the methods described may be performed on processors, various types of computers, and computing systems—including distributed computing systems such as clouds.
- the methods disclosed may also be embodied on computer-readable media, including removable media and non-transitory computer readable media, such as, but not limited to optical, solid state, and/or magnetic media or variations thereof and may be read and executed by processors, computers and/or other devices.
- FIG. 1 illustrates an exemplary message flow for secure communication between an application and a server.
- FIG. 2 shows a flowchart for an exemplary method for obtaining and deploying a certificate to support a secure communication protocol on one or more servers.
- FIG. 3A shows an exemplary system for facilitating secure communications for cloud based applications in a manner consistent with disclosed embodiments.
- FIG. 3B shows an exemplary system to support agile secure communication for cloud based applications in a manner consistent with disclosed embodiments.
- FIG. 3C shows an exemplary system to support agile secure communication for cloud based applications in a manner consistent with disclosed embodiments.
- FIG. 4 shows and exemplary flowchart of a method for facilitating secure communications for cloud based applications in a manner consistent with disclosed embodiments.
- FIG. 1 illustrates an exemplary message flow 100 to facilitate secure communication between application 10 and server 12 .
- message flow 100 may form part of an https protocol based on SSL/TLS.
- SSL/TLS protocol facilitates the determination of encryption related parameters for the secure link and for the data being exchanged across the link.
- Application 10 may send Connection/Identification Request 15 to server 12 .
- Application 10 may request a connection by initiating a protocol for secure connection with server 12 .
- the connection request may include a request for identification information from server 12 .
- Server 12 may respond to Connection/Identification Request 15 by sending SSL Certificate/Public Key 30 .
- any appropriate security certificate/asymmetric public key may be sent by server 12 in response to Connection/Identification Request 15 .
- security certificate which is also called a public key certificate, digital certificate, or identity certificate is used to refer to an electronic document that uses a digital signature to bind a public key with an identity.
- the identity may pertain to an entity and the certificate can be used to verify that the public key is associated with the entity.
- PKI public key infrastructure
- the security certificate may be signed by a certificate authority (CA).
- the CA may be a trusted entity that issues digital certificates.
- Each digital certificate issued by the CA certifies ownership of a public key by a subject named on the certificate, thereby facilitating reliance (e.g. by a third party) on signatures or assertions made using a private key that corresponds to the certified public key.
- the CA is a party trusted by the subject or owner of the certificate and by the party relying upon the certificate issued by the CA.
- the SSL certificate may have been obtained earlier from a trusted CA or may have been generated by an entity associated with server 12 and may include a Public Key for server 12 .
- SSL/TLS/https certificates typically include domain names for server 12 , which may be based on the Domain Name System (DNS).
- DNS Domain Name System
- the certificates may, for example, be X.509 certificates.
- X.509 is an International Telecommunications Union Standardization Sector (ITU-T) standard for a PKI and Privilege Management Infrastructure (PMI).
- ITU-T International Telecommunications Union Standardization Sector
- PMI PKI and Privilege Management Infrastructure
- X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
- DNS which is a hierarchical distributed naming system for entities such as computers, services, and/or resources connected to the Internet or private networks, helps associate information with the domain names assigned to each of its constituent entities.
- DNS may be used to translate domain names such as “cliqr.com” to numerical Internet Protocol (IP) addresses used to locate the entities.
- IP Internet Protocol
- DNS uses distributed databases based on a client-server model where database nodes constitute name servers. Each domain has at least one authoritative DNS server that publishes information about that domain, including any name servers of sub-domains.
- the top of the hierarchy is served by root name servers, which resolve Top Level Domain (TLD) names.
- TLD Top Level Domain
- Each domain/sub-domain under the TLD may be served by one or more authoritative name servers, which may be queried for information pertaining to their respective domains.
- authoritative name server When an authoritative name server is unable to respond to a request for information for a domain, the request may be propagated to name servers higher up in the DNS hierarchy.
- the DNS architecture facilitates quick user-transparent updates to the DNS databases when there are changes associated with a domain name.
- users may continue to use the domain names such as “cliqr.com” even when one or more underlying IP addresses associated with the domain (“cliqr.com”) have changed.
- FIG. 2 shows a flowchart for an exemplary method 200 for obtaining and deploying a certificate to support a secure communication protocol on one or more servers.
- a counter “i” may be set to 1. Counter i may be used to maintain a count of the servers requesting certificates.
- a Certificate Signing Request may be generated by server 12 using an application and/or API on the server 12 to obtain an X.509 certificate such as a SSL/TLS certificate.
- the CSR may include the name of the entity (e.g. the organization) requesting the certificate, the domain name where the certificate will be installed, and various other information.
- the domain name for example, may be the Fully Qualified Domain Name (FQDN), or the web address where the SSL/TLS Certificate will be used.
- SSL/TLS certificates include a Distinguished Name (DN) record.
- the DN record may further include the following fields: Country, State (or province), Locality (or city), Organization, Organizational Unit, and Common Name.
- the “Common Name” field refers to the domain name (e.g. “x.cliqr.com”) of the server or VM associated with the certificate.
- a certificate may be obtained from a CA.
- a private key and a CSR data file may be created.
- the private key and CSR data file may be sent to the CA, which may use the information to create an SSL/TLS certificate and a public key to match the private key without compromising the private key.
- a certificate is valid only for the associated FQDN. For example, a certificate associated with the FQDN “x.cliqr.com” may not be valid for “y.cliqr.com”.
- step 80 the SSL/TLS certificate obtained in step 70 may be installed on Server i. If there are additional servers (“Y” in step 85 ), then, in step 90 , the counter i is incremented by one and another iteration is begun at step 60 . If there are no additional servers (“N” in step 85 ), the method terminates in step 90 .
- Server 12 may respond to Connection/Identification Request 15 for example by sending a previously obtained SSL Certificate/Public Key 30 associated with server 12 .
- Application 10 may check the certificate root against a list of trusted CAs and verify that the certificate is unexpired and unrevoked. Further Application 10 may verify and that the common name associated with the certificate is valid for server 12 . If Application 10 trusts the certificate, it may create, encrypt, and send back encrypted session key 35 , which may be a symmetric key encrypted using the public key of server 12 .
- server 12 decrypts the encrypted symmetric session key 35 using its private key and sends back acknowledgement 40 encrypted with session key to start an encrypted session.
- application 10 and server 12 may now communicate securely by encrypting exchanged data with the session key.
- FIG. 3A shows an exemplary system 200 for facilitating secure communications for cloud based applications in a manner consistent with disclosed embodiments.
- System 200 shown in FIG. 3A is used merely exemplary and is used to illustrate the operation of some disclosed embodiments. Techniques and embodiments disclosed may also be deployed and/or used in conjunction with various other cloud-based and/or distributed computing systems.
- architecture of system 200 can include exemplary User Interface Layer 110 , Cloud Provisioning and Management Layer 150 , and Cloud Application Deployment Layer 170 .
- Exemplary User Interface Layer 110 may facilitate user configuration of system 200 and may comprise Application Importer Module 112 , Policy Setting Module 116 , and Execute Module 118 .
- Application Importer Module 112 may be used to import an application profile, security certificates (e.g. an X.509 certificate) including https/SSL/TLS certificates and certificate expiry date information and other application specific information.
- security certificates e.g. an X.509 certificate
- the certificates associated with an application may be “wildcard certificates.” Wildcard certificates are special certificates, which may allow web-hosts and enterprises to secure unlimited sub-domains of a domain name on a single certificate. For example, wildcard certificates may use Subject Alternative Names (SANs) to secure a domain and/or one or more of its first-level subdomains. For example, a wildcard certificate associated with “cliqr.com” may be used to facilitate secure communication with “x.cliqr.com”, “y.cliqr.com” and/or “z.cliqr.com”. Wildcard certificates may also simplify the certificate life-cycle management processes by removing the need to manage and track multiple individual certificates.
- SANs Subject Alternative Names
- wildcard certificates associated with an application being imported may also be imported by Application Importer module 112 .
- the term “wildcard certificate” is used to refer to the certificates because the first string in the Common Name associated with a wildcard certificate may be the wildcard character “*”, which indicates that any DNS conforming string is acceptable in its place. For example, if the Common Name associated with a wildcard certificate is “*.cliqr.com”, then the domains “x.cliqr.com”, “y.cliqr.com” and “z.cliqr.com” may use the above wildcard certificate for secure communications.
- Exemplary User Interface Layer 110 may also include various end-user modules that permit user customization and configuration of system 100 .
- Exemplary Application Importer Module 112 may facilitate the importation of new applications into system 100 .
- imported applications may be displayed to users using a “desktop-style” view, where icons representing the various applications are shown to the user in a window or browser tab.
- pre-published applications in a marketplace associated with system 200 for example, applications in an application library or “app store” associated with or supported by system 200 may be imported by users directly onto their desktop view.
- Application Importer Module 112 may allow users to license or buy one or more of pre-published applications.
- any software application may be imported using exemplary Application Importer Module 112 in User Interface Layer 110 .
- an organization may deploy a desktop application on a cloud to be shared by users (e.g. employees and/or customers).
- the application and any associated security certificates may be imported using Application Importer module 112 .
- Policy Settings Module 116 may provide appropriate graphical user interfaces and other features to permit users to set, modify, and/or delete policies, which may be implemented using Policy Engine 134 .
- users may set policies that limit the clouds and/or configurations that specific user(s) and/or application(s) may use, limit the monetary budget available for an application run or a series of runs, etc.
- Execute Module 118 may provide user interfaces to permit users to select an application, a cloud 172 (from available clouds 172 - 1 , 172 - 2 . . . 172 -N), associate other user configurable settings with the application, and execute the application on the selected cloud 172 .
- User Interface Layer 110 may include several other modules (not shown) to allow users to specify system functionality related to reporting, auditing, billing, and permit viewing of application files and data on shared storage.
- Reporting may provide analytical reports and runtime statistics over and/or other information. The reports may be diced and sliced based on user, application and/or other criteria. Auditing may use agent monitoring to track user actions and report them. Billing may track the price of each job for invoicing to the customer.
- Modules in User Interface Layer 110 may also allow users to set permissions and other attributes on application and storage files in order to facilitate sharing and collaboration with other users.
- Exemplary Cloud Provisioning and Management Layer 150 may facilitate the management of cloud resources, prepare applications for deployment on one or more clouds, and may include Cloud Standardization Layer 160 .
- Exemplary Cloud Provisioning and Management Layer 150 may also include exemplary Orchestrator module 130 and System Manager module 120 .
- Cloud Standardization Layer 160 may include functionality to facilitate standardization of library constructs (such as shared storage, network, cluster, security, etc.) across a variety of cloud providers. Although cloud providers may have provider-specific Application Programming Interfaces (APIs) and other infrastructure differences, Cloud Standardization Layer 160 may provide applications a cloud agnostic or a cloud infrastructure-independent view of resources, including compute, storage and network resources. For example, Cloud Standardization Layer 160 can be a repository for various functional modules that permit applications to utilize various resources (including shared storage, server types, clusters and features such as queues, security, etc.) on each cloud in a cloud-agnostic manner.
- APIs Application Programming Interfaces
- Cloud Standardization Layer 160 can be a repository for various functional modules that permit applications to utilize various resources (including shared storage, server types, clusters and features such as queues, security, etc.) on each cloud in a cloud-agnostic manner.
- Cloud Standardization Layer 160 may maintain resource standardizations for various clouds, such as exemplary clouds 172 - 1 , 172 - 2 . . . 172 -N, as well as references to cloud-specific implementations of the standardizations for each cloud 172 .
- exemplary Cloud Standardization Layer 160 may also maintain service-level agreements (SLAs), capability information about each cloud resource, information pertaining to cloud availability, reliability, and security, and performance and pricing information.
- SLAs service-level agreements
- Information may be maintained by Cloud Standardization Layer 160 by using metadata XML files or databases, which, in some implementations, may be persistent.
- the capability information can be stored as ⁇ key, value ⁇ pairs in a database. Because individual clouds may have different capabilities for a standardized resource type, capability information may be indexed by cloud.
- Exemplary Cloud Provisioning and Management Layer 150 may also include exemplary Orchestrator module 130 and System Manager module 120 .
- System Manager 120 may manage user information and coordinate various user tasks with Orchestrator 130 .
- System Manager 120 may receive, maintain, and update user information 122 , cloud information 124 , application related information 126 (e.g. application profile, security certificates such as X.509 certificates including https/SSL/TLS certificates, and certificate expiry date information) and other data 128 such as job history, housekeeping information etc.
- System Manager 120 may provide information about the application being deployed.
- System Manager 120 may also facilitate user views of application files and data on shared storage, may move the application files and data to cloud storage, and synchronize the application files and data between clouds.
- System Manager 120 may serve as a storehouse and manager of information pertaining to user activities.
- System Manager 120 may act as a management layer to initiate and manage application deployment and monitoring activities.
- System Manager may store, persist, and/or provide information imported by Application Importer Module 112 including security certificate information (e.g. X.509 certificate information) such as https/SSL/TLS certificate information and certificate expiry date information associated with an application/entity.
- security certificate information e.g. X.509 certificate information
- System Manager 120 may interact with modules in User Interface Layer 110 in order to facilitate the performance of management tasks on applications that may have been initiated by the user through User Interface Layer 110 .
- Management tasks facilitated by System Manager 120 may include, for example, initiating application deployment, facilitating secure communications, configuring user and cloud accounts, specifying policies for application runs, and specifying base metrics around desired application price and performance.
- System Manager 120 may also manage automated tasks, which, in some embodiments, may have been initiated by Orchestrator 130 .
- System Manager 120 may also call or invoke functions implemented by Orchestrator 130 in order to perform various system related activities.
- System Manager 120 may invoke Secure Communications Module 137 to facilitate secure communication with a new VM spawned by a cloud based application.
- System Manager 120 may maintain a relational database or data repository with information pertaining to system users including user authentication and authorization information; a list of clouds ( 172 - 1 , . . .
- X.509 certificate information which may include https/SSL/TLS certificate information, certificate expiry date information; policies that a user may have specified, etc.
- Orchestrator 130 may use a common application representation to deploy and run a given application on any cloud, irrespective of implementation differences pertaining to the provisioning and utilization of application resources on the individual clouds, in part, by using functionality provided by Cloud Standardization Layer 160 .
- Orchestrator 130 may include a cloud coordinator or gateway.
- the common application representation may take the form of application descriptors (not shown), which may be input to Orchestrator 130 .
- a user may specify applications to import using Application Importer module 112 and application descriptors, which may include various primitives such as pattern and system primitives, may be used to describe applications to Cloud Standardization Layer 160 .
- the pattern and system primitives may describe the execution patterns as well as node, storage, communication and network characteristics pattern and system primitives.
- Exemplary application descriptors can include information such as: application software and hardware requirements, application profile (whether memory intensive, Input-Output intensive, CPU intensive, etc.), specification of a distributed computing paradigm, application steps (for workflow style applications).
- These primitives, Orchestrator 130 , and cloud coordinator/gateway have also been described in greater detail in co-pending U.S. patent application Ser. No. 13/024,302 filed Feb. 9, 2011, entitled “Apparatus, Systems and Methods for Deployment and Management of Distributed Computing Systems and Applications,” which has been incorporated by reference in its entirety into the present application.
- Orchestrator 130 may facilitate the deployment, running, and monitoring of applications on various clouds. For example, Orchestrator 130 may dynamically build clusters on a selected cloud 172 for application execution in response to an execute command entered by a user using an interface presented by Execute module 118 . In some embodiments, Orchestrator module 130 may interact with Policy Engine 134 , Secure Communication Module 137 and various other modules (not shown) depicted by the dashed line between the listed modules.
- Orchestrator 130 may maintain routines and other program code that implement algorithms for deploying, optimizing, managing and monitoring application runs on clouds. In some embodiments, routines and other functions performed by Orchestrator 130 may be managed and initiated by the System Manager 120 . Orchestrator 130 may also report back the status and results of the various orchestration activities to System Manager 120 . In one embodiment, Orchestrator 130 may directly query System Manager for information such as application data, policies, and cloud information.
- Policy Engine 134 may help enforce customer, user, and/or administrator policies. For example, Policy Engine 134 may enforce policies set by users through Policy Setting Module 116 that specify uptime criteria for clouds and/or applications that may be candidates for an application run, or the maximum budget per user over some period, or maximum application runtime on a cloud 172 .
- Secure Communications module 137 may provide functionality to associate wildcard certificates with VMs spawned by an application.
- the wildcard certificates may be associated with an entity and a domain where an application may be run and/or deployed.
- Secure Communications module 137 may be invoked and provide functionality to spawn VMs and associate appropriate SSL/TLS/https wildcard certificates with the VMs.
- the SSL/TLS/https wildcard certificates may be obtained by querying System Manager 120 and/or from a cache and/or from one or more databases maintained by System Manager 120 .
- Secure Communications module 137 may register the VMs with a DNS server.
- functionality provided by Secure Communications module 137 may be used to obtain an IP address such as “X.Y.Z.W” associated with the VM, where 0 ⁇ X,Y, Z, W ⁇ 255.
- functionality provided by Secure Communications module 137 may be used to register a domain name associated with the VM. For example, for a VM with IP address “X.Y.Z.W” spawned in a domain “cliqr.com”, the domain name registered with the DNS name server may take the form “X-Y-Z-W.cliqr.com.”
- the use of the IP address associated with a VM as part of its domain name may ensure that the domain name associated with each VM is unique.
- a name based, at least in part, on the IP address associated with the VM may be used to register the VM with the DNS server.
- various other techniques may be used to obtain the domain name for the VM. For example, a string based on a function of the IP address or generated using a pseudo-random process with the IP address as seed may be used.
- the use of the IP addresses (appropriately modified to comply with domain naming schemes) may also facilitate easy identification of VMs for debugging, troubleshooting and other purposes.
- Secure Communications module 137 may facilitate agile secure communications dynamically as new VMs are spawned by a distributed and/or cloud-based application.
- Secure Communications module 137 may provide functionality to determine if one or more security certificates such as SSL/TLS/https certificates associated with an application have expired and/or are about to expire and may alert an entity associated with the TLS/SSL/https to renew and/or obtain a new certificate.
- an application-related database maintained by System Manager 120 may be queried to determine expired certificates.
- the validity period associated with a certificate may be stored as part of application related information by System Manager 120 at the time an application is imported by Application Importer module 112 .
- Secure Communications module 137 may be implemented, in part, as a cloud agnostic service that associates wildcard certificates to VMs running in a cloud and/or registers the VM to be configured with a SSL/TLS/https certificate with a DNS server.
- the cloud agnostic service may be invoked to spawn VMs that use secure communication, and/or when new VMs that use secure communication are spawned. For example, as discussed above, for a VM with IP address “X.Y.Z.W” spawned in a domain “cliqr.com”, the domain name registered with the DNS name server may take the form “X-Y-Z-W.cliqr.com.”
- the cloud agnostic service associated with Secure Communications module 137 may provide functionality to determine if one or more SSL/TLS/https certificates associated with an application have expired and/or are about to expire and may alert an entity (e.g. the domain owner) associated with the TLS/SSL/https to renew and/or obtain a new certificate.
- an entity e.g. the domain owner
- Secure Communications module 137 and/or the cloud agnostic service associated with Secure Communications module 137 may reside on an SSL configured Virtual Appliance.
- a software appliance is a software application, which may be combined with an operating system so that the software can be run easily on industry standard hardware or virtual machines.
- a virtual appliance may be created when the installation of a software appliance on a virtual machine is packaged.
- a virtual appliance refers to a virtual machine image that can run on a virtualization platform.
- a virtual machine image may take the form of a filesystem image and may include an operating system and the software required to deliver functionality or services.
- Secure Communications module 137 and/or the cloud agnostic service associated with Secure Communications module 137 may form part of a virtual appliance, which, in some embodiments, may also include one or more other modules, software and/or services.
- functionality provided by the virtual appliance may be used to register a VM with a DNS server and/or associate appropriate wildcard certificates with the VM, thereby facilitating agile secure communications dynamically as new VMs are spawned by a distributed and/or cloud-based application.
- a name based, at least in part, on the IP address associated with the VM may be used to register the VM with the DNS server.
- the virtual appliance may provide functionality to determine if one or more SSL/TLS/https certificates associated with an application have expired and/or are about to expire and may alert an entity associated with the TLS/SSL/https to renew and/or obtain a new certificate.
- Tasks performed by Orchestrator 130 on Clouds 172 may be facilitated by Cloud Standardization Layer 160 .
- functionality provided by Cloud Standardization Layer 160 permits Orchestrator 130 to use infrastructure independent representations of application code to deploy applications.
- the cloud agnostic service associated with Secure Communications module 137 may make use of functionality provided by Cloud Standardization Layer 160 .
- the infrastructure independent or cloud independent or cloud agnostic program code may be common across all clouds 172 because the Cloud Standardization Layer 160 uses cloud specific Plugins, APIs and Cloud Specific Libraries to perform tasks for Orchestrator 130 on any given cloud 172 - n.
- Cloud Application Deployment Layer 170 may include Cloud Plugins 142 , Cloud APIs 144 and Cloud Specific Libraries 146 .
- the dynamic management of clusters and other cloud resources may be facilitated by using a node management service running on a “cloud coordinator/gateway” or “gateway” (not shown) for a specific cloud 172 .
- the gateway may also maintain Cloud APIs 144 , such as Cloud-1 APIs 144 - 1 , Cloud-2 APIs 144 - 2 , etc., as well as Cloud specific Libraries 146 , such as Cloud 1 Specific Libraries 146 - 1 , Cloud 2 Specific Libraries 146 - 2 , etc.
- the node management service may act as an intermediate layer between the cloud provider and the cloud orchestrator code and facilitate the addition or removal of nodes.
- Cloud Specific Libraries 146 and Cloud APIs 144 may comprise a library of implementations for primitives and composite interfaces, respectively, for a specific cloud 172 .
- Cloud APIs 144 and Cloud Specific Libraries 146 may be invoked using Cloud Plugins 142 .
- Cloud Plugins 142 may be used to invoke appropriate Cloud APIs 144 and routines from Cloud Specific Libraries 146 that permit the deployment and running of applications on Clouds 172 , where the applications may have been described using application descriptors and standardized primitives from Cloud Standardization Layer 160 .
- a gateway may use Cloud APIs 144 and Cloud Specific Libraries 146 library to perform deployment and execution tasks for its cloud 172 .
- Cloud APIs 144 and Cloud Specific Libraries 146 library For example, shared storage primitives on Cloud Standardization Layer 160 may lead to instantiation of a DFS shared storage implementation on an AmazonTM cloud, while instantiating the shared storage implementation on a TerremarkTM cloud will set up NAS/SAN.
- the gateway may also launch one or more agents, which can be deployed on nodes on Clouds 172 , to monitor and report task status back to the gateway.
- functionality specified or configured by the user in User Interface Layer 110 may be implemented by one or more modules in the Cloud Provisioning and Management Layer 150 and/or Cloud Application Deployment Layer 170 , which, in some implementations, may include software agents running on a server and/or on the various clouds. These software agents may monitor application runtime statistics, collect cloud related information such as but not limited to cloud load information, pricing information, security information etc., and/or collect information related to user actions.
- the software agents may run on each VM and may periodically check the validity of installed security certificates such as https/SSL/TLS certificates and may communicate with System Manager 120 .
- System Manager may trigger notifications to a cloud, domain and/or application administrator regarding renewal of the security certificates.
- System Manager 120 may invoke an appropriate https/SS/TLS certificate vendor API to acquire new certificates and/or renew certificates and install the certificates on the VM. For example, new certificates may be obtained if a certificate has expired or if the expiration date of the current certificate falls within some threshold.
- the threshold may be some time period and may be specified relative to a point in time at which the certificate expiry date is determined. In some embodiments, the threshold may be set in an application/user profile and/or may be some predetermined time period.
- the software agents may collect data for each application run, which may include but is not limited to: the time of the application run, cloud name where the application was run, cloud configuration for the application run, the pricing of that configuration, machine type, cluster size, storage size, memory size, network backbone type, storage implementation, data pertaining to success/failure/abnormal termination and cause, latency (length of an application run), throughput (number of transactions or requests), cost, etc.
- an agent on each node of a cluster may monitor application runs for individual applications.
- the data gathered and reported by the agent at a cluster node may be aggregated and used at the gateway level to monitor to track performance and costs across applications for a user and/or client.
- System Manager 120 may aggregate data across users and/or applications by cloud and store the data in a form that may be used for analytics and recommendation purposes.
- cloud-specific implementation of the distributed computing application may be derived from the infrastructure independent representation and the cloud-specific implementation of the distributed computing application corresponding to the selected cloud-configuration may be run on the selected cloud-configuration.
- an infrastructure independent representation of a distributed computing application may be deployed and run on various cloud configurations such as on one or more of Amazon EC2, Terremark vCloud, Rackspace Cloudserver, Microsoft Azure, Savvis, or private clusters.
- FIG. 3B shows a block diagram of an exemplary system 300 to support agile secure communication for cloud based applications in a manner consistent with disclosed embodiments.
- system 300 may comprise Secure Communications Module 137 , which may obtain Wildcard SSL certificate/private key 305 .
- Secure Communications Module 137 may obtain Wildcard SSL certificate/private key 305 from a trusted CA or another entity.
- Secure Communications module 137 may reside on and/or form part of SSL configured Virtual Appliance 310 as indicated by the dashed box.
- functionality associated with Secure Communications module 137 may be realized on Cloud 172 - j, 1 ⁇ j ⁇ N using Cloud Standardization Layer 160 , Application Deployment layer 170 and/or Cloud Coordinator/Gateway 380 .
- functionality provided by Secure Communications Module 137 and/or Virtual Appliance 310 may be used to dynamically register one or more VMs 385 - k, 1 ⁇ k ⁇ M, with DNS Name server 389 and/or associate appropriate wildcard certificates 305 with VMs 385 - k, thereby facilitating agile secure communications dynamically as new VMs 385 - k are spawned by a distributed and/or cloud-based application shown as App Servers 387 - k, 1 ⁇ k ⁇ M.
- wildcard certificates may specify the Common Name as “*.cliqr.com” and each VM 385 - k may be named as “X-Y-Z-W.cliqr.com” where “X.Y.Z.W” is the IP address associated with VM 385 - k.
- functionality provided by Secure Communications Module 137 and/or Virtual Appliance 310 may then be used to dynamically register one or more VMs 385 - k using the name “X-Y-Z-W.cliqr.com” with the appropriate Name Server 389 .
- an organization may share a desktop based application with users but may opt to deploy the application on a cloud, where it may be accessed securely by users, for example, through a browser using the “https” protocol.
- the term “desktop application” is used to collectively refer to typical applications that are typically run locally on a single computer such as exemplary local computer system 110 , for example, by a user at a terminal coupled to the computing system.
- the desktop application may be hosted on one or more cloud nodes and accessed securely by users through a web browser.
- Cloud hosting of applications may offer several advantages including enhanced security, higher availability of the application, remote access, lower costs, etc.
- https is used to secure communications with the cloud nodes
- SSL/TLS/https certificates may be used.
- disclosed embodiments facilitate the dynamic association of the wildcard SSL/TLS/https certificate associated with the organization (and the domain name/application) to cloud nodes running the application. Because cloud nodes running the application belong to the organization, disclosed techniques facilitate dynamic association of the cloud nodes with a single security domain defined by the wildcard SSL/TLS/https certificate.
- App Servers 387 - k, 1 ⁇ k ⁇ M may host the exemplary desktop application described above and/or one or more additional cloud based applications.
- Embodiments disclosed thus facilitate an “elastic” security domain, which may grow or shrink in accordance with the instantiating of new VMs and tearing down of existing VMs.
- a name based, at least in part, on the IP address associated with a VM 385 - k may be used to register the VM 385 - k with DNS Name Server 389 .
- DNS Name Server 389 may be implemented as VM 385 - 0 .
- virtual appliance 310 and/or Secure Communications module 137 and/or a cloud agnostic service associated with Secure Communications module 137 may keep track of application deployment on VMs 385 - k (e.g. by maintaining an application-VM mapping) and may update the wildcard SSL certificate on demand on one or more of the VMs 385 - k.
- SSL certificate/private key 305 may be pre-configured on a virtual appliance 310 , and new VMs 387 - k may be spawned using virtual appliance 310 .
- virtual appliance 310 and/or Secure Communications module 137 and/or a cloud agnostic service associated with Secure Communications module 137 may register a domain name which may be derived from the IP address associated with the VM 387 - k.
- a domain name which may be derived from the IP address associated with the VM 387 - k.
- virtual appliance 310 and/or Secure Communications module 137 and/or a cloud agnostic service associated with Secure Communications module 137 may: (i) obtain and/or be configured with wildcard SSL certificate and private key 305 ; (ii) launch name server 389 , which may, in some instances, register with Authoritative DNS server 345 as a name server for the domain “cliqr.com”; (iii) instantiate VMs 385 - k in cloud 172 - j with wildcard certificate and private key 305 ; and (iv) dynamically register the IP addresses of VMs 385 - k with name server 389 .
- VMs 385 - k may be instances of virtual appliance 310 .
- name server 389 may, in turn, register with Authoritative DNS server 345 , to permit, access to VMs 385 - k over network 330 .
- Secure Communications Module 137 and/or virtual appliance 310 may also provide functionality to determine if one or more SSL/TLS/https certificates associated with an application have expired and/or are about to expire and may alert an entity associated with the TLS/SSL/https to renew and/or obtain a new certificate. For example, new certificates may be obtained if a certificate has expired or if the expiration date of the current certificate falls within some threshold time period. In some embodiments, the threshold may be set in an application/user/Secure Communications Module profile and/or may be some predetermined time period.
- FIG. 3C shows a block diagram of an exemplary system 350 to support agile secure communication for cloud based applications in a manner consistent with disclosed embodiments.
- blocks with the same identifiers have functionality similar to the blocks described in FIG. 3B above. As shown in FIG. 3C , except as outlined below, blocks with the same identifiers have functionality similar to the blocks described in FIG. 3B above. As shown in FIG. 3C , except as outlined below, blocks with the same identifiers have functionality similar to the blocks described in FIG. 3B above. As shown in FIG.
- virtual appliance 310 and/or Secure Communications module 137 and/or a cloud agnostic service associated with Secure Communications module 137 may: (i) obtain and/or be configured with wildcard SSL certificate and private key 305 ; (ii) instantiate VMs 385 - k in cloud 172 - j with wildcard certificate and private key 305 and (iii) dynamically register the IP addresses of VMs 385 - i with authoritative DNS name server 345 .
- an API of an external DNS service may be used to register the host name and IP address with authoritative DNS name server 345 .
- FIG. 4 shows and exemplary flowchart of a method 400 for facilitating secure communications for cloud based applications in a manner consistent with disclosed embodiments.
- portions of method 400 may be performed by virtual appliance 310 and/or Secure Communications module 137 and/or a cloud agnostic service associated with Secure Communications module 137 .
- method 400 may be invoked in step 405 .
- Secure Communication module 137 may be invoked by System Manager 120 .
- Secure Communication module 137 may, in turn, invoke functionality provided by Cloud Standardization layer 160 and Application Deployment layer.
- VMs may be instantiated in a specific cloud along with wildcard certificate and private key 305 associated with an entity owning a domain used by the application.
- VMs 385 - k may be instantiated with a wildcard SSL certificate and private key 305 associated with an entity owning a domain used by the application.
- the VMs may be registered with a DNS Name Server, wherein the domain name associated with the VM may be derived from its IP address.
- the IP address associated with one or more VMs 385 - k may be obtained, and a valid DNS name may be derived from the IP address.
- a DNS name for the VM may be set to “50-25-10-1.cliqr.com”, where “cliqr.com” is the higher level domain name. Control may then be returned to the invoking routine in step 425 .
- secure communication with the VMs may commence using the SSL certificate, and public and private keys.
- wildcard SSL certificate and private key 410 may be configured as part of a virtual appliance such as virtual appliance 310 .
- method 400 is exemplary and for descriptive purposes only and functionality disclosed in one or more steps may be disclosed may be rearranged (re-ordered, combined and/or deleted) in a manner consistent with disclosed embodiments, as would be apparent to one of ordinary skill in the art.
- the methods and modules described herein may be implemented using a variety of wired and/or wirelessly networked processors, various computers, and computing devices, including mobile devices such as smartphones, notebooks, and handheld computers, and various distributed computing systems.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
- 1. Field of the Invention
- The present invention relates to the field of distributed computing and in particular, to apparatus, systems, and methods to facilitate secure communications for cloud-based applications.
- 2. Description of Related Art
- The performance of computing applications may often be increased by distributing the computational workload across nodes in a networked cluster of computers. A physical networked cluster of computers is often referred to as a “cloud” or “cloud infrastructure” or simply an infrastructure. The underlying physical hardware associated with clouds, which can include servers, memory, storage, and network resources, may be viewed as virtualized units. These virtualized units represent some fraction of the underlying computing hardware or resources supported by the cloud. Therefore, from a logical perspective, clouds may be viewed as a collection of virtual machines (“VMs”). A “cloud node” or “node” may be responsible for the control and operation of one or more VMs, and there may be several nodes per cloud. Typically, a cloud may provide a variety of VM types with different computing (CPU), memory, storage, networking, and Operating System (OS) options.
- Clouds, thus, may be viewed as services that provide access to infrastructure remotely, including compute, storage and network resources, so that the resources can be reserved, provisioned, accessed and released programmatically. For example, programmatic interfaces such as Application Programming Interfaces (APIs), System Development Kits (SDKs), Web Services, etc. may be used to access resources made available by clouds remotely over a wide-area network (WAN). For example, in publicly available clouds or “public clouds”, these resources can be accessed programmatically over the Internet and are made available as VMs on a pay-per-use basis.
- Cloud-computing infrastructures offer several benefits over fixed on-premise datacenters, server farms, desktop computers, etc (collectively referred to as “organizational infrastructure”) including the capability to dynamically spawn or tear down a large number of VMs rapidly. However, when applications running on one or more of the newly spawned VMs attempt to communicate securely, for example, using the hypertext transfer protocol secure (“https”) with Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS) certificates, human intervention or complicated schemes are often used to enable secure communication. The use of complicated schemes/protocols and/or human intervention to correctly configure https over SSL/TLS in cloud-based environments is impractical and unwieldy and also creates delays.
- Thus, there is a need for systems, methods, and apparatus that facilitate the mapping and binding of SSL/TLS certificates to domain names of dynamically spawned VMs transparently in cloud-based and/or distributed computing environments while also maintaining system integrity. Accordingly, disclosed embodiments facilitate secure communication for cloud-based and/or distributed computing applications.
- Consistent with embodiments disclosed herein, apparatus, systems and methods for facilitating secure communications for cloud-based applications are presented. In some embodiments, a method may comprise instantiating a first Virtual Machine (VM) associated with a cloud based application on a cloud infrastructure, wherein the first VM is dynamically configured with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and registering, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.
- In some embodiments, the method may be implemented using a virtual appliance configured with the security certificate and wherein the virtual appliance instantiates the first VM. In some embodiments, the method may be implemented using a cloud agnostic service. In some instances, the cloud agnostic service may take the form of an infrastructure independent representation that is implemented by utilizing at least one cloud specific implementation of the infrastructure independent representation of the cloud agnostic service, and wherein the at least one cloud-specific implementation of the cloud agnostic service corresponds to the cloud infrastructure.
- In some embodiments, the domain name server may take the form of a DNS authoritative name server for a domain corresponding to the Common Name. In some embodiments, the domain name server may be a second VM running on the cloud infrastructure. In some embodiments, the wildcard security certificate may be a X.509 based certificate, such as a wildcard Secure Sockets Layer (SSL) or wildcard Transport Layer Security (TLS) certificate.
- In some embodiments, the method may further comprise determining an expiry date associated with the wildcard security certificate. The method may further comprise dynamically obtaining a new wildcard security certificate specifying the Common Name upon detecting that the wildcard security certificate has expired; or dynamically obtaining a new security certificate security certificate specifying the Common Name upon detecting that the period for expiry of the wildcard security certificate is within a threshold. In some embodiments, the newly obtained wildcard security certificate may be dynamically installed on the first VM.
- Disclosed embodiments also pertain to an apparatus comprising at least one processing system coupled to a cloud-based infrastructure, the at least one processing system comprising a secure communication module, wherein the secure communication module is configured to: dynamically configure a first VM with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and register, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate. In some embodiments, the secure communication module may form part of a virtual appliance configured with the security certificate and wherein the virtual appliance instantiates the first VM.
- In some embodiments, the secure communication module may be further configured to dynamically determine an expiry date associated with the wildcard security certificate. Further, the secure communication module may be configured to perform at least one of: dynamically obtaining a new wildcard security certificate specifying the Common Name upon detecting that the wildcard security certificate has expired; or dynamically obtaining a new security certificate security certificate specifying the Common Name upon detecting that the period for expiry of the wildcard security certificate is within a threshold.
- Disclosed embodiments also pertain to an apparatus comprising at least one processing means, the processing means coupled to cloud-based infrastructure means, wherein the at least one processing means comprises a secure communication means, wherein the secure communication means further comprises: means to dynamically configure a first VM with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and means for registering, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.
- Disclosed embodiments also pertain to a computer-readable medium comprising instructions, which when executed by a processor, perform steps in a method comprising: instantiating a first Virtual Machine (VM) associated with a cloud based application on a cloud infrastructure, wherein the first VM is dynamically configured with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and registering, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.
- Embodiments also relate to software, firmware, and program instructions created, stored, accessed, or modified by processors using computer-readable media or computer-readable memory. The methods described may be performed on processors, various types of computers, and computing systems—including distributed computing systems such as clouds. The methods disclosed may also be embodied on computer-readable media, including removable media and non-transitory computer readable media, such as, but not limited to optical, solid state, and/or magnetic media or variations thereof and may be read and executed by processors, computers and/or other devices.
- These and other embodiments are further explained below with respect to the following figures.
-
FIG. 1 illustrates an exemplary message flow for secure communication between an application and a server. -
FIG. 2 shows a flowchart for an exemplary method for obtaining and deploying a certificate to support a secure communication protocol on one or more servers. -
FIG. 3A shows an exemplary system for facilitating secure communications for cloud based applications in a manner consistent with disclosed embodiments. -
FIG. 3B shows an exemplary system to support agile secure communication for cloud based applications in a manner consistent with disclosed embodiments. -
FIG. 3C shows an exemplary system to support agile secure communication for cloud based applications in a manner consistent with disclosed embodiments. -
FIG. 4 shows and exemplary flowchart of a method for facilitating secure communications for cloud based applications in a manner consistent with disclosed embodiments. - In accordance with embodiments disclosed herein, apparatus, systems and methods to facilitate secure communications for cloud-based applications are presented.
-
FIG. 1 illustrates anexemplary message flow 100 to facilitate secure communication betweenapplication 10 andserver 12. In someinstances message flow 100 may form part of an https protocol based on SSL/TLS. Typically, the SSL/TLS protocol facilitates the determination of encryption related parameters for the secure link and for the data being exchanged across the link. - In 1,
Application 10 may send Connection/Identification Request 15 toserver 12. For example,Application 10 may request a connection by initiating a protocol for secure connection withserver 12. In some instances, the connection request may include a request for identification information fromserver 12. - In 2,
Server 12 may respond to Connection/Identification Request 15 by sending SSL Certificate/Public Key 30. In general, any appropriate security certificate/asymmetric public key may be sent byserver 12 in response to Connection/Identification Request 15. The term security certificate, which is also called a public key certificate, digital certificate, or identity certificate is used to refer to an electronic document that uses a digital signature to bind a public key with an identity. The identity may pertain to an entity and the certificate can be used to verify that the public key is associated with the entity. Typically, in public key infrastructure (PKI) schemes, the security certificate may be signed by a certificate authority (CA). The CA may be a trusted entity that issues digital certificates. Each digital certificate issued by the CA certifies ownership of a public key by a subject named on the certificate, thereby facilitating reliance (e.g. by a third party) on signatures or assertions made using a private key that corresponds to the certified public key. In PKI infrastructure models, the CA is a party trusted by the subject or owner of the certificate and by the party relying upon the certificate issued by the CA. - For example, the SSL certificate may have been obtained earlier from a trusted CA or may have been generated by an entity associated with
server 12 and may include a Public Key forserver 12. SSL/TLS/https certificates typically include domain names forserver 12, which may be based on the Domain Name System (DNS). The certificates may, for example, be X.509 certificates. In cryptography, X.509 is an International Telecommunications Union Standardization Sector (ITU-T) standard for a PKI and Privilege Management Infrastructure (PMI). X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm. - DNS, which is a hierarchical distributed naming system for entities such as computers, services, and/or resources connected to the Internet or private networks, helps associate information with the domain names assigned to each of its constituent entities. For example, DNS may be used to translate domain names such as “cliqr.com” to numerical Internet Protocol (IP) addresses used to locate the entities.
- DNS uses distributed databases based on a client-server model where database nodes constitute name servers. Each domain has at least one authoritative DNS server that publishes information about that domain, including any name servers of sub-domains.
- The top of the hierarchy is served by root name servers, which resolve Top Level Domain (TLD) names. Each domain/sub-domain under the TLD may be served by one or more authoritative name servers, which may be queried for information pertaining to their respective domains. When an authoritative name server is unable to respond to a request for information for a domain, the request may be propagated to name servers higher up in the DNS hierarchy.
- The DNS architecture facilitates quick user-transparent updates to the DNS databases when there are changes associated with a domain name. Thus, for example, users may continue to use the domain names such as “cliqr.com” even when one or more underlying IP addresses associated with the domain (“cliqr.com”) have changed.
-
FIG. 2 shows a flowchart for anexemplary method 200 for obtaining and deploying a certificate to support a secure communication protocol on one or more servers. - After starting in
step 50, where initialization routines and housekeeping operations may be performed, instep 55, a counter “i” may be set to 1. Counter i may be used to maintain a count of the servers requesting certificates. - In
step 60, a Certificate Signing Request (CSR) may be generated byserver 12 using an application and/or API on theserver 12 to obtain an X.509 certificate such as a SSL/TLS certificate. For example, the CSR may include the name of the entity (e.g. the organization) requesting the certificate, the domain name where the certificate will be installed, and various other information. The domain name, for example, may be the Fully Qualified Domain Name (FQDN), or the web address where the SSL/TLS Certificate will be used. Typically, SSL/TLS certificates include a Distinguished Name (DN) record. The DN record may further include the following fields: Country, State (or province), Locality (or city), Organization, Organizational Unit, and Common Name. The “Common Name” field refers to the domain name (e.g. “x.cliqr.com”) of the server or VM associated with the certificate. - In
step 70, a certificate may be obtained from a CA. For example, upon successful execution of the CSR, a private key and a CSR data file may be created. The private key and CSR data file may be sent to the CA, which may use the information to create an SSL/TLS certificate and a public key to match the private key without compromising the private key. Typically, a certificate is valid only for the associated FQDN. For example, a certificate associated with the FQDN “x.cliqr.com” may not be valid for “y.cliqr.com”. - In
step 80, the SSL/TLS certificate obtained instep 70 may be installed on Server i. If there are additional servers (“Y” in step 85), then, instep 90, the counter i is incremented by one and another iteration is begun atstep 60. If there are no additional servers (“N” in step 85), the method terminates instep 90. - Referring to
FIG. 1 , in 2,Server 12 may respond to Connection/Identification Request 15 for example by sending a previously obtained SSL Certificate/Public Key 30 associated withserver 12. - In 3,
Application 10 may check the certificate root against a list of trusted CAs and verify that the certificate is unexpired and unrevoked.Further Application 10 may verify and that the common name associated with the certificate is valid forserver 12. IfApplication 10 trusts the certificate, it may create, encrypt, and send back encrypted session key 35, which may be a symmetric key encrypted using the public key ofserver 12. - In 4,
server 12 decrypts the encrypted symmetric session key 35 using its private key and sends backacknowledgement 40 encrypted with session key to start an encrypted session. - In 5,
application 10 andserver 12 may now communicate securely by encrypting exchanged data with the session key. - When the methods described above are used with cloud based applications and/or distributed applications where VMs may be brought up and/or torn down dynamically, no automatic user-transparent processes exist to dynamically obtain and/or associate certificates with newly spawned VMs so that secure communication may be facilitated with the newly spawned VMs. This is because a cloud-based application may spawn tens or hundreds of VMs when running. Further, one or more existing VMs may be torn down dynamically during runtime and the IP addresses associated with these VMs may be dynamically reallocated to other VMs. Therefore, traditional methods of obtaining and deploying certificates are either infeasible or cumbersome and may adversely affect application performance.
- Therefore, some embodiments described herein facilitate agile secure communications for cloud based applications.
-
FIG. 3A shows anexemplary system 200 for facilitating secure communications for cloud based applications in a manner consistent with disclosed embodiments.System 200 shown inFIG. 3A is used merely exemplary and is used to illustrate the operation of some disclosed embodiments. Techniques and embodiments disclosed may also be deployed and/or used in conjunction with various other cloud-based and/or distributed computing systems. As shown inFIG. 3A , architecture ofsystem 200 can include exemplaryUser Interface Layer 110, Cloud Provisioning andManagement Layer 150, and CloudApplication Deployment Layer 170. - Exemplary
User Interface Layer 110 may facilitate user configuration ofsystem 200 and may compriseApplication Importer Module 112,Policy Setting Module 116, and ExecuteModule 118. For example,Application Importer Module 112 may be used to import an application profile, security certificates (e.g. an X.509 certificate) including https/SSL/TLS certificates and certificate expiry date information and other application specific information. - In some embodiments, the certificates associated with an application may be “wildcard certificates.” Wildcard certificates are special certificates, which may allow web-hosts and enterprises to secure unlimited sub-domains of a domain name on a single certificate. For example, wildcard certificates may use Subject Alternative Names (SANs) to secure a domain and/or one or more of its first-level subdomains. For example, a wildcard certificate associated with “cliqr.com” may be used to facilitate secure communication with “x.cliqr.com”, “y.cliqr.com” and/or “z.cliqr.com”. Wildcard certificates may also simplify the certificate life-cycle management processes by removing the need to manage and track multiple individual certificates. In some embodiments, wildcard certificates associated with an application being imported may also be imported by
Application Importer module 112. The term “wildcard certificate” is used to refer to the certificates because the first string in the Common Name associated with a wildcard certificate may be the wildcard character “*”, which indicates that any DNS conforming string is acceptable in its place. For example, if the Common Name associated with a wildcard certificate is “*.cliqr.com”, then the domains “x.cliqr.com”, “y.cliqr.com” and “z.cliqr.com” may use the above wildcard certificate for secure communications. - Exemplary
User Interface Layer 110 may also include various end-user modules that permit user customization and configuration ofsystem 100. ExemplaryApplication Importer Module 112 may facilitate the importation of new applications intosystem 100. In some embodiments, imported applications may be displayed to users using a “desktop-style” view, where icons representing the various applications are shown to the user in a window or browser tab. In some embodiments, pre-published applications in a marketplace associated with system 200 (for example, applications in an application library or “app store” associated with or supported bysystem 200 may be imported by users directly onto their desktop view. In some embodiments,Application Importer Module 112 may allow users to license or buy one or more of pre-published applications. - In general, any software application may be imported using exemplary
Application Importer Module 112 inUser Interface Layer 110. For example, an organization may deploy a desktop application on a cloud to be shared by users (e.g. employees and/or customers). In some embodiments, the application and any associated security certificates (which may also be associated with the organization or entity) may be imported usingApplication Importer module 112. - In some embodiments,
Policy Settings Module 116 may provide appropriate graphical user interfaces and other features to permit users to set, modify, and/or delete policies, which may be implemented usingPolicy Engine 134. For example, users may set policies that limit the clouds and/or configurations that specific user(s) and/or application(s) may use, limit the monetary budget available for an application run or a series of runs, etc. - In some embodiments, Execute
Module 118 may provide user interfaces to permit users to select an application, a cloud 172 (from available clouds 172-1, 172-2 . . . 172-N), associate other user configurable settings with the application, and execute the application on the selectedcloud 172. - In addition, as indicated by the dashed lines,
User Interface Layer 110 may include several other modules (not shown) to allow users to specify system functionality related to reporting, auditing, billing, and permit viewing of application files and data on shared storage. For example, Reporting may provide analytical reports and runtime statistics over and/or other information. The reports may be diced and sliced based on user, application and/or other criteria. Auditing may use agent monitoring to track user actions and report them. Billing may track the price of each job for invoicing to the customer. Modules inUser Interface Layer 110 may also allow users to set permissions and other attributes on application and storage files in order to facilitate sharing and collaboration with other users. - Exemplary Cloud Provisioning and
Management Layer 150 may facilitate the management of cloud resources, prepare applications for deployment on one or more clouds, and may includeCloud Standardization Layer 160. Exemplary Cloud Provisioning andManagement Layer 150 may also includeexemplary Orchestrator module 130 andSystem Manager module 120. - In some embodiments,
Cloud Standardization Layer 160 may include functionality to facilitate standardization of library constructs (such as shared storage, network, cluster, security, etc.) across a variety of cloud providers. Although cloud providers may have provider-specific Application Programming Interfaces (APIs) and other infrastructure differences,Cloud Standardization Layer 160 may provide applications a cloud agnostic or a cloud infrastructure-independent view of resources, including compute, storage and network resources. For example,Cloud Standardization Layer 160 can be a repository for various functional modules that permit applications to utilize various resources (including shared storage, server types, clusters and features such as queues, security, etc.) on each cloud in a cloud-agnostic manner. - In some embodiments,
Cloud Standardization Layer 160 may maintain resource standardizations for various clouds, such as exemplary clouds 172-1, 172-2 . . . 172-N, as well as references to cloud-specific implementations of the standardizations for eachcloud 172. In some embodiments, exemplaryCloud Standardization Layer 160 may also maintain service-level agreements (SLAs), capability information about each cloud resource, information pertaining to cloud availability, reliability, and security, and performance and pricing information. Information may be maintained byCloud Standardization Layer 160 by using metadata XML files or databases, which, in some implementations, may be persistent. In some implementations, the capability information can be stored as {key, value} pairs in a database. Because individual clouds may have different capabilities for a standardized resource type, capability information may be indexed by cloud. - Exemplary Cloud Provisioning and
Management Layer 150 may also includeexemplary Orchestrator module 130 andSystem Manager module 120. In some embodiments,System Manager 120 may manage user information and coordinate various user tasks withOrchestrator 130. For example,System Manager 120 may receive, maintain, and updateuser information 122,cloud information 124, application related information 126 (e.g. application profile, security certificates such as X.509 certificates including https/SSL/TLS certificates, and certificate expiry date information) andother data 128 such as job history, housekeeping information etc. In some embodiments,System Manager 120 may provide information about the application being deployed. In some embodiments,System Manager 120 may also facilitate user views of application files and data on shared storage, may move the application files and data to cloud storage, and synchronize the application files and data between clouds. - In some embodiments,
System Manager 120 may serve as a storehouse and manager of information pertaining to user activities. For example,System Manager 120 may act as a management layer to initiate and manage application deployment and monitoring activities. For example, System Manager may store, persist, and/or provide information imported byApplication Importer Module 112 including security certificate information (e.g. X.509 certificate information) such as https/SSL/TLS certificate information and certificate expiry date information associated with an application/entity. - In one embodiment,
System Manager 120 may interact with modules inUser Interface Layer 110 in order to facilitate the performance of management tasks on applications that may have been initiated by the user throughUser Interface Layer 110. Management tasks facilitated bySystem Manager 120 may include, for example, initiating application deployment, facilitating secure communications, configuring user and cloud accounts, specifying policies for application runs, and specifying base metrics around desired application price and performance. - In
addition System Manager 120 may also manage automated tasks, which, in some embodiments, may have been initiated byOrchestrator 130.System Manager 120 may also call or invoke functions implemented byOrchestrator 130 in order to perform various system related activities. For example,System Manager 120 may invokeSecure Communications Module 137 to facilitate secure communication with a new VM spawned by a cloud based application. In some embodiments,System Manager 120 may maintain a relational database or data repository with information pertaining to system users including user authentication and authorization information; a list of clouds (172-1, . . . 172-N) and available cloud configurations for each cloud 172-i; information pertaining to applications/entities such as X.509 certificate information, which may include https/SSL/TLS certificate information, certificate expiry date information; policies that a user may have specified, etc. - In some embodiments,
Orchestrator 130 may use a common application representation to deploy and run a given application on any cloud, irrespective of implementation differences pertaining to the provisioning and utilization of application resources on the individual clouds, in part, by using functionality provided byCloud Standardization Layer 160. In some embodiments,Orchestrator 130 may include a cloud coordinator or gateway. - In some embodiments, the common application representation may take the form of application descriptors (not shown), which may be input to
Orchestrator 130. In some embodiments, a user may specify applications to import usingApplication Importer module 112 and application descriptors, which may include various primitives such as pattern and system primitives, may be used to describe applications toCloud Standardization Layer 160. - The pattern and system primitives may describe the execution patterns as well as node, storage, communication and network characteristics pattern and system primitives. Exemplary application descriptors can include information such as: application software and hardware requirements, application profile (whether memory intensive, Input-Output intensive, CPU intensive, etc.), specification of a distributed computing paradigm, application steps (for workflow style applications). These primitives,
Orchestrator 130, and cloud coordinator/gateway have also been described in greater detail in co-pending U.S. patent application Ser. No. 13/024,302 filed Feb. 9, 2011, entitled “Apparatus, Systems and Methods for Deployment and Management of Distributed Computing Systems and Applications,” which has been incorporated by reference in its entirety into the present application. - In some embodiments,
Orchestrator 130 may facilitate the deployment, running, and monitoring of applications on various clouds. For example,Orchestrator 130 may dynamically build clusters on a selectedcloud 172 for application execution in response to an execute command entered by a user using an interface presented by Executemodule 118. In some embodiments,Orchestrator module 130 may interact withPolicy Engine 134,Secure Communication Module 137 and various other modules (not shown) depicted by the dashed line between the listed modules. -
Orchestrator 130 may maintain routines and other program code that implement algorithms for deploying, optimizing, managing and monitoring application runs on clouds. In some embodiments, routines and other functions performed byOrchestrator 130 may be managed and initiated by theSystem Manager 120.Orchestrator 130 may also report back the status and results of the various orchestration activities toSystem Manager 120. In one embodiment,Orchestrator 130 may directly query System Manager for information such as application data, policies, and cloud information. -
Policy Engine 134 may help enforce customer, user, and/or administrator policies. For example,Policy Engine 134 may enforce policies set by users throughPolicy Setting Module 116 that specify uptime criteria for clouds and/or applications that may be candidates for an application run, or the maximum budget per user over some period, or maximum application runtime on acloud 172. - In some embodiments,
Secure Communications module 137 may provide functionality to associate wildcard certificates with VMs spawned by an application. The wildcard certificates may be associated with an entity and a domain where an application may be run and/or deployed. In some embodiments,Secure Communications module 137 may be invoked and provide functionality to spawn VMs and associate appropriate SSL/TLS/https wildcard certificates with the VMs. In some embodiments, the SSL/TLS/https wildcard certificates may be obtained by queryingSystem Manager 120 and/or from a cache and/or from one or more databases maintained bySystem Manager 120. In some embodiments,Secure Communications module 137 may register the VMs with a DNS server. For example, in one embodiment, functionality provided bySecure Communications module 137 may be used to obtain an IP address such as “X.Y.Z.W” associated with the VM, where 0≦X,Y, Z, W≦255. In some embodiments, functionality provided bySecure Communications module 137 may be used to register a domain name associated with the VM. For example, for a VM with IP address “X.Y.Z.W” spawned in a domain “cliqr.com”, the domain name registered with the DNS name server may take the form “X-Y-Z-W.cliqr.com.” In some embodiments, the use of the IP address associated with a VM as part of its domain name may ensure that the domain name associated with each VM is unique. In general, a name based, at least in part, on the IP address associated with the VM may be used to register the VM with the DNS server. In some embodiments, various other techniques may be used to obtain the domain name for the VM. For example, a string based on a function of the IP address or generated using a pseudo-random process with the IP address as seed may be used. In some embodiments, the use of the IP addresses (appropriately modified to comply with domain naming schemes) may also facilitate easy identification of VMs for debugging, troubleshooting and other purposes. - In some embodiments, in part, by registering the VM with a DNS server and by associating wildcard certificates with a VM,
Secure Communications module 137 may facilitate agile secure communications dynamically as new VMs are spawned by a distributed and/or cloud-based application. In some embodiments,Secure Communications module 137 may provide functionality to determine if one or more security certificates such as SSL/TLS/https certificates associated with an application have expired and/or are about to expire and may alert an entity associated with the TLS/SSL/https to renew and/or obtain a new certificate. For example, an application-related database maintained bySystem Manager 120 may be queried to determine expired certificates. In some embodiments, the validity period associated with a certificate may be stored as part of application related information bySystem Manager 120 at the time an application is imported byApplication Importer module 112. - In some embodiments,
Secure Communications module 137 may be implemented, in part, as a cloud agnostic service that associates wildcard certificates to VMs running in a cloud and/or registers the VM to be configured with a SSL/TLS/https certificate with a DNS server. In some embodiments, the cloud agnostic service may be invoked to spawn VMs that use secure communication, and/or when new VMs that use secure communication are spawned. For example, as discussed above, for a VM with IP address “X.Y.Z.W” spawned in a domain “cliqr.com”, the domain name registered with the DNS name server may take the form “X-Y-Z-W.cliqr.com.” - Further, in some embodiments, the cloud agnostic service associated with
Secure Communications module 137 may provide functionality to determine if one or more SSL/TLS/https certificates associated with an application have expired and/or are about to expire and may alert an entity (e.g. the domain owner) associated with the TLS/SSL/https to renew and/or obtain a new certificate. - In some embodiments,
Secure Communications module 137 and/or the cloud agnostic service associated withSecure Communications module 137 may reside on an SSL configured Virtual Appliance. In general, a software appliance is a software application, which may be combined with an operating system so that the software can be run easily on industry standard hardware or virtual machines. A virtual appliance may be created when the installation of a software appliance on a virtual machine is packaged. Thus, a virtual appliance refers to a virtual machine image that can run on a virtualization platform. A virtual machine image may take the form of a filesystem image and may include an operating system and the software required to deliver functionality or services. For example,Secure Communications module 137 and/or the cloud agnostic service associated withSecure Communications module 137 may form part of a virtual appliance, which, in some embodiments, may also include one or more other modules, software and/or services. In some embodiments, functionality provided by the virtual appliance may be used to register a VM with a DNS server and/or associate appropriate wildcard certificates with the VM, thereby facilitating agile secure communications dynamically as new VMs are spawned by a distributed and/or cloud-based application. For example, as discussed above, a name based, at least in part, on the IP address associated with the VM may be used to register the VM with the DNS server. In some embodiments, the virtual appliance may provide functionality to determine if one or more SSL/TLS/https certificates associated with an application have expired and/or are about to expire and may alert an entity associated with the TLS/SSL/https to renew and/or obtain a new certificate. - Tasks performed by
Orchestrator 130 onClouds 172 may be facilitated byCloud Standardization Layer 160. For example, functionality provided byCloud Standardization Layer 160permits Orchestrator 130 to use infrastructure independent representations of application code to deploy applications. For example, the cloud agnostic service associated withSecure Communications module 137 may make use of functionality provided byCloud Standardization Layer 160. In some embodiments, the infrastructure independent or cloud independent or cloud agnostic program code may be common across allclouds 172 because theCloud Standardization Layer 160 uses cloud specific Plugins, APIs and Cloud Specific Libraries to perform tasks forOrchestrator 130 on any given cloud 172-n. - In some implementations, the deployment and running of applications and the dynamic management of clusters and other cloud resources may be facilitated by Cloud
Application Deployment Layer 170. CloudApplication Deployment Layer 170 may includeCloud Plugins 142,Cloud APIs 144 and CloudSpecific Libraries 146. - In some embodiments, the dynamic management of clusters and other cloud resources may be facilitated by using a node management service running on a “cloud coordinator/gateway” or “gateway” (not shown) for a
specific cloud 172. The gateway may also maintainCloud APIs 144, such as Cloud-1 APIs 144-1, Cloud-2 APIs 144-2, etc., as well as Cloudspecific Libraries 146, such asCloud 1 Specific Libraries 146-1,Cloud 2 Specific Libraries 146-2, etc. The node management service may act as an intermediate layer between the cloud provider and the cloud orchestrator code and facilitate the addition or removal of nodes. - Cloud
Specific Libraries 146 andCloud APIs 144 may comprise a library of implementations for primitives and composite interfaces, respectively, for aspecific cloud 172. In some embodiments,Cloud APIs 144 and CloudSpecific Libraries 146 may be invoked usingCloud Plugins 142. For example,Cloud Plugins 142 may be used to invokeappropriate Cloud APIs 144 and routines from CloudSpecific Libraries 146 that permit the deployment and running of applications onClouds 172, where the applications may have been described using application descriptors and standardized primitives fromCloud Standardization Layer 160. - In some embodiments, when an application is to be deployed, a gateway may use
Cloud APIs 144 and CloudSpecific Libraries 146 library to perform deployment and execution tasks for itscloud 172. For example, shared storage primitives onCloud Standardization Layer 160 may lead to instantiation of a DFS shared storage implementation on an Amazon™ cloud, while instantiating the shared storage implementation on a Terremark™ cloud will set up NAS/SAN. In some embodiments, the gateway may also launch one or more agents, which can be deployed on nodes onClouds 172, to monitor and report task status back to the gateway. - In some embodiments, functionality specified or configured by the user in
User Interface Layer 110 may be implemented by one or more modules in the Cloud Provisioning andManagement Layer 150 and/or CloudApplication Deployment Layer 170, which, in some implementations, may include software agents running on a server and/or on the various clouds. These software agents may monitor application runtime statistics, collect cloud related information such as but not limited to cloud load information, pricing information, security information etc., and/or collect information related to user actions. - In some embodiments, the software agents may run on each VM and may periodically check the validity of installed security certificates such as https/SSL/TLS certificates and may communicate with
System Manager 120. In some embodiments, System Manager may trigger notifications to a cloud, domain and/or application administrator regarding renewal of the security certificates. In some embodiments,System Manager 120 may invoke an appropriate https/SS/TLS certificate vendor API to acquire new certificates and/or renew certificates and install the certificates on the VM. For example, new certificates may be obtained if a certificate has expired or if the expiration date of the current certificate falls within some threshold. The threshold may be some time period and may be specified relative to a point in time at which the certificate expiry date is determined. In some embodiments, the threshold may be set in an application/user profile and/or may be some predetermined time period. - As another example, the software agents may collect data for each application run, which may include but is not limited to: the time of the application run, cloud name where the application was run, cloud configuration for the application run, the pricing of that configuration, machine type, cluster size, storage size, memory size, network backbone type, storage implementation, data pertaining to success/failure/abnormal termination and cause, latency (length of an application run), throughput (number of transactions or requests), cost, etc.
- For example, an agent on each node of a cluster may monitor application runs for individual applications. The data gathered and reported by the agent at a cluster node may be aggregated and used at the gateway level to monitor to track performance and costs across applications for a user and/or client. In some embodiments,
System Manager 120 may aggregate data across users and/or applications by cloud and store the data in a form that may be used for analytics and recommendation purposes. - In some embodiments, cloud-specific implementation of the distributed computing application may be derived from the infrastructure independent representation and the cloud-specific implementation of the distributed computing application corresponding to the selected cloud-configuration may be run on the selected cloud-configuration. For example, an infrastructure independent representation of a distributed computing application may be deployed and run on various cloud configurations such as on one or more of Amazon EC2, Terremark vCloud, Rackspace Cloudserver, Microsoft Azure, Savvis, or private clusters.
-
FIG. 3B shows a block diagram of anexemplary system 300 to support agile secure communication for cloud based applications in a manner consistent with disclosed embodiments. In some embodiments,system 300 may compriseSecure Communications Module 137, which may obtain Wildcard SSL certificate/private key 305. For example,Secure Communications Module 137 may obtain Wildcard SSL certificate/private key 305 from a trusted CA or another entity. In some embodiments,Secure Communications module 137 may reside on and/or form part of SSL configuredVirtual Appliance 310 as indicated by the dashed box. In some embodiments, functionality associated withSecure Communications module 137 may be realized on Cloud 172-j, 1≦j≦N usingCloud Standardization Layer 160,Application Deployment layer 170 and/or Cloud Coordinator/Gateway 380. - In some embodiments, functionality provided by
Secure Communications Module 137 and/orVirtual Appliance 310 may be used to dynamically register one or more VMs 385-k, 1≦k≦M, withDNS Name server 389 and/or associateappropriate wildcard certificates 305 with VMs 385-k, thereby facilitating agile secure communications dynamically as new VMs 385-k are spawned by a distributed and/or cloud-based application shown as App Servers 387-k, 1≦k≦M. For example, in one exemplary implementation for an entity CliQr, wildcard certificates may specify the Common Name as “*.cliqr.com” and each VM 385-k may be named as “X-Y-Z-W.cliqr.com” where “X.Y.Z.W” is the IP address associated with VM 385-k. In the example above, functionality provided bySecure Communications Module 137 and/orVirtual Appliance 310 may then be used to dynamically register one or more VMs 385-k using the name “X-Y-Z-W.cliqr.com” with theappropriate Name Server 389. - For example, an organization may share a desktop based application with users but may opt to deploy the application on a cloud, where it may be accessed securely by users, for example, through a browser using the “https” protocol. The term “desktop application” is used to collectively refer to typical applications that are typically run locally on a single computer such as exemplary
local computer system 110, for example, by a user at a terminal coupled to the computing system. - For example, the desktop application may be hosted on one or more cloud nodes and accessed securely by users through a web browser. Cloud hosting of applications may offer several advantages including enhanced security, higher availability of the application, remote access, lower costs, etc. When “https” is used to secure communications with the cloud nodes, SSL/TLS/https certificates may be used. Accordingly, disclosed embodiments facilitate the dynamic association of the wildcard SSL/TLS/https certificate associated with the organization (and the domain name/application) to cloud nodes running the application. Because cloud nodes running the application belong to the organization, disclosed techniques facilitate dynamic association of the cloud nodes with a single security domain defined by the wildcard SSL/TLS/https certificate. Thus, new nodes may join and leave the security domain on the fly in a user-transparent manner without compromising security and/or impacting application deployment and/or performance. In some embodiments, App Servers 387-k, 1≦k≦M may host the exemplary desktop application described above and/or one or more additional cloud based applications. Embodiments disclosed thus facilitate an “elastic” security domain, which may grow or shrink in accordance with the instantiating of new VMs and tearing down of existing VMs.
- For example, as discussed above, a name based, at least in part, on the IP address associated with a VM 385-k may be used to register the VM 385-k with
DNS Name Server 389. In some embodiments,DNS Name Server 389 may be implemented as VM 385-0. In some embodiments,virtual appliance 310 and/or SecureCommunications module 137 and/or a cloud agnostic service associated withSecure Communications module 137 may keep track of application deployment on VMs 385-k (e.g. by maintaining an application-VM mapping) and may update the wildcard SSL certificate on demand on one or more of the VMs 385-k. In another embodiment, SSL certificate/private key 305 may be pre-configured on avirtual appliance 310, and new VMs 387-k may be spawned usingvirtual appliance 310. - In some embodiments,
virtual appliance 310 and/or SecureCommunications module 137 and/or a cloud agnostic service associated withSecure Communications module 137 may register a domain name which may be derived from the IP address associated with the VM 387-k. Thus, even if an IP address of some VM 387-t is terminated during application execution and then gets reused during execution of the same application for a new VM 387-n, the IP address—domain name mappings will continue to hold and DNS name resolution will continue to work. In the example implementation describe above, if the domain name of a VM 387-t with IP address “50.25.10.1” is “50-25-10-1.cliqr.com” and the VM 387-t may uses awildcard SSL certificate 305 associated with Common Name “*.cliqr.com”, then, if VM 387-t is torn down and a new VM 387-n is spawned at a later point with the same IP address and withwildcard SSL certificate 305 with Common Name “*.cliqr.com”, then, the DNS name “50-25-10-1.cliqr.com” will resolve correctly to new VM 387-n thereby facilitating secure communication with new VM 387-n. - In some embodiments,
virtual appliance 310 and/or SecureCommunications module 137 and/or a cloud agnostic service associated withSecure Communications module 137 may: (i) obtain and/or be configured with wildcard SSL certificate andprivate key 305; (ii)launch name server 389, which may, in some instances, register withAuthoritative DNS server 345 as a name server for the domain “cliqr.com”; (iii) instantiate VMs 385-k in cloud 172-j with wildcard certificate andprivate key 305; and (iv) dynamically register the IP addresses of VMs 385-k withname server 389. In some embodiments, where avirtual appliance 310 is used, VMs 385-k may be instances ofvirtual appliance 310. In some embodiments,name server 389 may, in turn, register withAuthoritative DNS server 345, to permit, access to VMs 385-k overnetwork 330. - In some embodiments, as outlined earlier,
Secure Communications Module 137 and/orvirtual appliance 310 may also provide functionality to determine if one or more SSL/TLS/https certificates associated with an application have expired and/or are about to expire and may alert an entity associated with the TLS/SSL/https to renew and/or obtain a new certificate. For example, new certificates may be obtained if a certificate has expired or if the expiration date of the current certificate falls within some threshold time period. In some embodiments, the threshold may be set in an application/user/Secure Communications Module profile and/or may be some predetermined time period. -
FIG. 3C shows a block diagram of anexemplary system 350 to support agile secure communication for cloud based applications in a manner consistent with disclosed embodiments. InFIG. 3C , except as outlined below, blocks with the same identifiers have functionality similar to the blocks described inFIG. 3B above. As shown inFIG. 3C ,virtual appliance 310 and/or SecureCommunications module 137 and/or a cloud agnostic service associated withSecure Communications module 137 may: (i) obtain and/or be configured with wildcard SSL certificate andprivate key 305; (ii) instantiate VMs 385-k in cloud 172-j with wildcard certificate andprivate key 305 and (iii) dynamically register the IP addresses of VMs 385-i with authoritativeDNS name server 345. For example, an API of an external DNS service may be used to register the host name and IP address with authoritativeDNS name server 345. -
FIG. 4 shows and exemplary flowchart of amethod 400 for facilitating secure communications for cloud based applications in a manner consistent with disclosed embodiments. In some embodiments, portions ofmethod 400 may be performed byvirtual appliance 310 and/or SecureCommunications module 137 and/or a cloud agnostic service associated withSecure Communications module 137. - In some embodiments,
method 400 may be invoked instep 405. For example, in some embodiments,Secure Communication module 137 may be invoked bySystem Manager 120.Secure Communication module 137 may, in turn, invoke functionality provided byCloud Standardization layer 160 and Application Deployment layer. - In
step 420, VMs may be instantiated in a specific cloud along with wildcard certificate andprivate key 305 associated with an entity owning a domain used by the application. For example, one or more VMs 385-k may be instantiated with a wildcard SSL certificate andprivate key 305 associated with an entity owning a domain used by the application. - Next, in
step 430, the VMs may be registered with a DNS Name Server, wherein the domain name associated with the VM may be derived from its IP address. For example, in one embodiment, the IP address associated with one or more VMs 385-k may be obtained, and a valid DNS name may be derived from the IP address. For example, for a VM with an IP address given by “50.25.10.1”, a DNS name for the VM may be set to “50-25-10-1.cliqr.com”, where “cliqr.com” is the higher level domain name. Control may then be returned to the invoking routine instep 425. - Upon successful registration of the VMs with the DNS server, secure communication with the VMs may commence using the SSL certificate, and public and private keys. In some embodiments, wildcard SSL certificate and private key 410 may be configured as part of a virtual appliance such as
virtual appliance 310. - Note that
method 400 is exemplary and for descriptive purposes only and functionality disclosed in one or more steps may be disclosed may be rearranged (re-ordered, combined and/or deleted) in a manner consistent with disclosed embodiments, as would be apparent to one of ordinary skill in the art. - Note that although the description above uses exemplary cloud infrastructures to describe possible implementations, alternate implementations are envisaged and the methods described could be extended to other cloud infrastructures as would be apparent to one of ordinary skill in the art. Further, although primitives, composite interfaces, and templates have been described as exemplary intermediate infrastructure independent representations, other infrastructure independent intermediate representational schemes may also be used. In some embodiments, software to facilitate conducting the processes described above can be recorded on computer-readable media or computer-readable memory. These include, but are not limited to, hard drives, solid state drives, optical media, non-volatile storage of various kinds, removable media, and the like.
- In some embodiments, the methods and modules described herein may be implemented using a variety of wired and/or wirelessly networked processors, various computers, and computing devices, including mobile devices such as smartphones, notebooks, and handheld computers, and various distributed computing systems.
- Other embodiments of the present invention will be apparent to those skilled in the art from consideration of the specification and practice of one or more embodiments of the invention disclosed herein. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
Claims (23)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/063,950 US9485099B2 (en) | 2013-10-25 | 2013-10-25 | Apparatus, systems and methods for agile enablement of secure communications for cloud based applications |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/063,950 US9485099B2 (en) | 2013-10-25 | 2013-10-25 | Apparatus, systems and methods for agile enablement of secure communications for cloud based applications |
Publications (2)
Publication Number | Publication Date |
---|---|
US20150121078A1 true US20150121078A1 (en) | 2015-04-30 |
US9485099B2 US9485099B2 (en) | 2016-11-01 |
Family
ID=52996829
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/063,950 Active 2034-03-09 US9485099B2 (en) | 2013-10-25 | 2013-10-25 | Apparatus, systems and methods for agile enablement of secure communications for cloud based applications |
Country Status (1)
Country | Link |
---|---|
US (1) | US9485099B2 (en) |
Cited By (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150039770A1 (en) * | 2011-02-09 | 2015-02-05 | Cliqr Technologies, Inc. | Apparatus, systems and methods for deployment and management of distributed computing systems and applications |
US20150381467A1 (en) * | 2014-06-25 | 2015-12-31 | Blazemeter Ltd. | System and method thereof for dynamically testing networked target systems through simulation by a mobile device |
US9430213B2 (en) | 2014-03-11 | 2016-08-30 | Cliqr Technologies, Inc. | Apparatus, systems and methods for cross-cloud software migration and deployment |
US9485099B2 (en) | 2013-10-25 | 2016-11-01 | Cliqr Technologies, Inc. | Apparatus, systems and methods for agile enablement of secure communications for cloud based applications |
CN107357631A (en) * | 2017-07-17 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of method and apparatus and computer-readable recording medium for managing virtual machine key |
US10003672B2 (en) | 2011-02-09 | 2018-06-19 | Cisco Technology, Inc. | Apparatus, systems and methods for deployment of interactive desktop applications on distributed infrastructures |
WO2018118418A1 (en) * | 2016-12-19 | 2018-06-28 | Arris Enterprises Llc | Secure provisioning of unique time-limited certificates to virtual application instances in dynamic and elastic systems |
US10091243B2 (en) | 2016-02-24 | 2018-10-02 | Qualcomm Incorporated | Apparatus and method for securely connecting to a remote server |
US10225335B2 (en) | 2011-02-09 | 2019-03-05 | Cisco Technology, Inc. | Apparatus, systems and methods for container based service deployment |
US10341251B2 (en) * | 2014-03-14 | 2019-07-02 | Citrix Systems, Inc. | Method and system for securely transmitting volumes into cloud |
US10678602B2 (en) | 2011-02-09 | 2020-06-09 | Cisco Technology, Inc. | Apparatus, systems and methods for dynamic adaptive metrics based application deployment on distributed infrastructures |
US11196735B2 (en) * | 2019-07-17 | 2021-12-07 | Microsoft Technology Licensing, Llc | Certificate management in segregated computer networks |
US20220086013A1 (en) * | 2015-12-23 | 2022-03-17 | Mcafee, Llc | Method and apparatus for hardware based file/document expiry timer enforcement |
US20220182246A1 (en) * | 2020-12-07 | 2022-06-09 | Siemens Healthcare Gmbh | Providing a first digital certificate and a dns response |
US11362843B1 (en) * | 2019-11-19 | 2022-06-14 | Amazon Technologies, Inc. | Certificate rotation on host |
US11411925B2 (en) | 2019-12-31 | 2022-08-09 | Oracle International Corporation | Methods, systems, and computer readable media for implementing indirect general packet radio service (GPRS) tunneling protocol (GTP) firewall filtering using diameter agent and signal transfer point (STP) |
US11516671B2 (en) | 2021-02-25 | 2022-11-29 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating location tracking and denial of service (DoS) attacks that utilize access and mobility management function (AMF) location service |
US11528251B2 (en) * | 2020-11-06 | 2022-12-13 | Oracle International Corporation | Methods, systems, and computer readable media for ingress message rate limiting |
US11553342B2 (en) | 2020-07-14 | 2023-01-10 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating 5G roaming security attacks using security edge protection proxy (SEPP) |
US11622255B2 (en) | 2020-10-21 | 2023-04-04 | Oracle International Corporation | Methods, systems, and computer readable media for validating a session management function (SMF) registration request |
US11689912B2 (en) | 2021-05-12 | 2023-06-27 | Oracle International Corporation | Methods, systems, and computer readable media for conducting a velocity check for outbound subscribers roaming to neighboring countries |
US11700510B2 (en) | 2021-02-12 | 2023-07-11 | Oracle International Corporation | Methods, systems, and computer readable media for short message delivery status report validation |
US11751056B2 (en) | 2020-08-31 | 2023-09-05 | Oracle International Corporation | Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns |
US11770694B2 (en) | 2020-11-16 | 2023-09-26 | Oracle International Corporation | Methods, systems, and computer readable media for validating location update messages |
US11799874B1 (en) * | 2021-04-02 | 2023-10-24 | Wiz, Inc. | System and method for detecting lateral movement using SSH private keys |
US11811787B1 (en) * | 2021-04-02 | 2023-11-07 | Wiz, Inc. | System and method for detecting lateral movement using cloud access keys |
US11812271B2 (en) | 2020-12-17 | 2023-11-07 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns |
US11811786B1 (en) * | 2021-04-02 | 2023-11-07 | Wiz, Inc. | Lateral movement analysis using certificate private keys |
US11818570B2 (en) | 2020-12-15 | 2023-11-14 | Oracle International Corporation | Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks |
US11825310B2 (en) | 2020-09-25 | 2023-11-21 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks |
US11832172B2 (en) | 2020-09-25 | 2023-11-28 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface |
US11843706B1 (en) | 2019-11-19 | 2023-12-12 | Amazon Technologies, Inc. | Gradual certificate rotation |
US12015923B2 (en) | 2021-12-21 | 2024-06-18 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating effects of access token misuse |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10581829B1 (en) | 2017-05-31 | 2020-03-03 | Cisco Technology, Inc. | Certificate-based call identification and routing |
US11546296B2 (en) | 2018-10-18 | 2023-01-03 | Bank Of America Corporation | Cloud computing architecture with secure multi-cloud integration |
US11722595B2 (en) * | 2019-02-04 | 2023-08-08 | Comcast Cable Communications, Llc | Systems and methods for processing calls |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040093419A1 (en) * | 2002-10-23 | 2004-05-13 | Weihl William E. | Method and system for secure content delivery |
US20090083537A1 (en) * | 2005-08-10 | 2009-03-26 | Riverbed Technology, Inc. | Server configuration selection for ssl interception |
US20090092247A1 (en) * | 2007-10-05 | 2009-04-09 | Globalsign K.K. | Server Certificate Issuing System |
US20090307486A1 (en) * | 2008-06-09 | 2009-12-10 | Garret Grajek | System and method for secured network access utilizing a client .net software component |
US20090319793A1 (en) * | 2006-09-11 | 2009-12-24 | John Joseph Zic | Portable device for use in establishing trust |
US20120096271A1 (en) * | 2010-10-15 | 2012-04-19 | Microsoft Corporation | Remote Access to Hosted Virtual Machines By Enterprise Users |
US8195934B1 (en) * | 2007-05-03 | 2012-06-05 | United Services Automobile Association (Usaa) | Systems and methods for managing certificates |
US20130205028A1 (en) * | 2012-02-07 | 2013-08-08 | Rackspace Us, Inc. | Elastic, Massively Parallel Processing Data Warehouse |
US20130212386A1 (en) * | 2011-08-30 | 2013-08-15 | Brocade Communications Systems, Inc. | Storage Access Authentication Mechanism |
US20150222604A1 (en) * | 2011-12-21 | 2015-08-06 | Ssh Communications Security Oyj | Automated Access, Key, Certificate, and Credential Management |
Family Cites Families (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6192470B1 (en) | 1998-07-29 | 2001-02-20 | Compaq Computer Corporation | Configuration sizer for selecting system of computer components based on price/performance normalization |
US6718535B1 (en) | 1999-07-30 | 2004-04-06 | Accenture Llp | System, method and article of manufacture for an activity framework design in an e-commerce based environment |
US7523190B1 (en) | 1999-12-23 | 2009-04-21 | Bickerstaff Cynthia L | Real-time performance assessment of large area network user experience |
US20020120741A1 (en) | 2000-03-03 | 2002-08-29 | Webb Theodore S. | Systems and methods for using distributed interconnects in information management enviroments |
AU2003272404A1 (en) | 2002-09-16 | 2004-04-30 | Clearcube Technology, Inc. | Distributed computing infrastructure |
US7028218B2 (en) | 2002-12-02 | 2006-04-11 | Emc Corporation | Redundant multi-processor and logical processor configuration for a file server |
EP1772820A1 (en) | 2005-10-07 | 2007-04-11 | Hewlett-Packard Development Company, L.P. | Prediction of service Level Compliance in IT infrastructures |
US20070260702A1 (en) | 2006-05-03 | 2007-11-08 | University Of Washington | Web browser architecture for virtual machine access |
US7849350B2 (en) | 2006-09-28 | 2010-12-07 | Emc Corporation | Responding to a storage processor failure with continued write caching |
JP4902403B2 (en) | 2006-10-30 | 2012-03-21 | 株式会社日立製作所 | Information system and data transfer method |
JP5090022B2 (en) | 2007-03-12 | 2012-12-05 | 株式会社日立製作所 | Computer system, access control method, and management computer |
CN101971162B (en) | 2008-02-26 | 2012-11-21 | 威睿公司 | Extending server-based desktop virtual machine architecture to client machines |
US8543998B2 (en) | 2008-05-30 | 2013-09-24 | Oracle International Corporation | System and method for building virtual appliances using a repository metadata server and a dependency resolution service |
US8250215B2 (en) | 2008-08-12 | 2012-08-21 | Sap Ag | Method and system for intelligently leveraging cloud computing resources |
US8238256B2 (en) | 2008-09-08 | 2012-08-07 | Nugent Raymond M | System and method for cloud computing |
US8166552B2 (en) | 2008-09-12 | 2012-04-24 | Hytrust, Inc. | Adaptive configuration management system |
US8271974B2 (en) | 2008-10-08 | 2012-09-18 | Kaavo Inc. | Cloud computing lifecycle management for N-tier applications |
US9542222B2 (en) | 2008-11-14 | 2017-01-10 | Oracle International Corporation | Resource broker system for dynamically deploying and managing software services in a virtual environment based on resource usage and service level agreement |
US20100125476A1 (en) | 2008-11-20 | 2010-05-20 | Keun-Hyuk Yeom | System having business aware framework for supporting situation awareness |
US8275853B2 (en) | 2009-01-29 | 2012-09-25 | Hewlett-Packard Development Company, L.P. | Method and system for a service intermediary selection in a web service management system |
WO2010102084A2 (en) | 2009-03-05 | 2010-09-10 | Coach Wei | System and method for performance acceleration, data protection, disaster recovery and on-demand scaling of computer applications |
US8413139B2 (en) | 2009-03-11 | 2013-04-02 | Microsoft Corporation | Programming model for application and data access and synchronization within virtual environments |
US8176208B2 (en) | 2009-11-04 | 2012-05-08 | Hitachi, Ltd. | Storage system and operating method of storage system |
US8392838B2 (en) | 2010-01-27 | 2013-03-05 | Vmware, Inc. | Accessing virtual disk content of a virtual machine using a control virtual machine |
US8489918B2 (en) | 2010-04-21 | 2013-07-16 | Hitachi, Ltd. | Storage system and ownership control method for storage system |
US8688994B2 (en) | 2010-06-25 | 2014-04-01 | Microsoft Corporation | Federation among services for supporting virtual-network overlays |
US9239996B2 (en) | 2010-08-24 | 2016-01-19 | Solano Labs, Inc. | Method and apparatus for clearing cloud compute demand |
US8739157B2 (en) | 2010-08-26 | 2014-05-27 | Adobe Systems Incorporated | System and method for managing cloud deployment configuration of an application |
US8904005B2 (en) | 2010-11-23 | 2014-12-02 | Red Hat, Inc. | Indentifying service dependencies in a cloud deployment |
US8762964B2 (en) | 2010-12-17 | 2014-06-24 | Cisco Technology, Inc. | Optimizing symbol manipulation language-based executable applications for distributed execution |
US9218343B2 (en) | 2010-12-20 | 2015-12-22 | International Business Machines Corporation | Partition file system for virtual machine memory management |
WO2012092553A1 (en) | 2010-12-31 | 2012-07-05 | Desktone, Inc. | Providing virtual desktops using resources accessed on public computer networks |
US10003672B2 (en) | 2011-02-09 | 2018-06-19 | Cisco Technology, Inc. | Apparatus, systems and methods for deployment of interactive desktop applications on distributed infrastructures |
US8862933B2 (en) | 2011-02-09 | 2014-10-14 | Cliqr Technologies, Inc. | Apparatus, systems and methods for deployment and management of distributed computing systems and applications |
US10678602B2 (en) | 2011-02-09 | 2020-06-09 | Cisco Technology, Inc. | Apparatus, systems and methods for dynamic adaptive metrics based application deployment on distributed infrastructures |
US8868636B2 (en) | 2011-04-04 | 2014-10-21 | Lansing Arthur Parker | Apparatus for secured distributed computing |
US8843998B2 (en) | 2011-06-27 | 2014-09-23 | Cliqr Technologies, Inc. | Apparatus, systems and methods for secure and selective access to services in hybrid public-private infrastructures |
US9485099B2 (en) | 2013-10-25 | 2016-11-01 | Cliqr Technologies, Inc. | Apparatus, systems and methods for agile enablement of secure communications for cloud based applications |
-
2013
- 2013-10-25 US US14/063,950 patent/US9485099B2/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040093419A1 (en) * | 2002-10-23 | 2004-05-13 | Weihl William E. | Method and system for secure content delivery |
US20090083537A1 (en) * | 2005-08-10 | 2009-03-26 | Riverbed Technology, Inc. | Server configuration selection for ssl interception |
US20090319793A1 (en) * | 2006-09-11 | 2009-12-24 | John Joseph Zic | Portable device for use in establishing trust |
US8195934B1 (en) * | 2007-05-03 | 2012-06-05 | United Services Automobile Association (Usaa) | Systems and methods for managing certificates |
US20090092247A1 (en) * | 2007-10-05 | 2009-04-09 | Globalsign K.K. | Server Certificate Issuing System |
US20090307486A1 (en) * | 2008-06-09 | 2009-12-10 | Garret Grajek | System and method for secured network access utilizing a client .net software component |
US20120096271A1 (en) * | 2010-10-15 | 2012-04-19 | Microsoft Corporation | Remote Access to Hosted Virtual Machines By Enterprise Users |
US20130212386A1 (en) * | 2011-08-30 | 2013-08-15 | Brocade Communications Systems, Inc. | Storage Access Authentication Mechanism |
US20150222604A1 (en) * | 2011-12-21 | 2015-08-06 | Ssh Communications Security Oyj | Automated Access, Key, Certificate, and Credential Management |
US20130205028A1 (en) * | 2012-02-07 | 2013-08-08 | Rackspace Us, Inc. | Elastic, Massively Parallel Processing Data Warehouse |
Cited By (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10003672B2 (en) | 2011-02-09 | 2018-06-19 | Cisco Technology, Inc. | Apparatus, systems and methods for deployment of interactive desktop applications on distributed infrastructures |
US10678602B2 (en) | 2011-02-09 | 2020-06-09 | Cisco Technology, Inc. | Apparatus, systems and methods for dynamic adaptive metrics based application deployment on distributed infrastructures |
US9307019B2 (en) * | 2011-02-09 | 2016-04-05 | Cliqr Technologies, Inc. | Apparatus, systems and methods for deployment and management of distributed computing systems and applications |
US10225335B2 (en) | 2011-02-09 | 2019-03-05 | Cisco Technology, Inc. | Apparatus, systems and methods for container based service deployment |
US9661071B2 (en) | 2011-02-09 | 2017-05-23 | Cliqr Technologies, Inc. | Apparatus, systems and methods for deployment and management of distributed computing systems and applications |
US20150039770A1 (en) * | 2011-02-09 | 2015-02-05 | Cliqr Technologies, Inc. | Apparatus, systems and methods for deployment and management of distributed computing systems and applications |
US9485099B2 (en) | 2013-10-25 | 2016-11-01 | Cliqr Technologies, Inc. | Apparatus, systems and methods for agile enablement of secure communications for cloud based applications |
US10162666B2 (en) | 2014-03-11 | 2018-12-25 | Cisco Technology, Inc. | Apparatus, systems and methods for cross-cloud software migration and deployment |
US9430213B2 (en) | 2014-03-11 | 2016-08-30 | Cliqr Technologies, Inc. | Apparatus, systems and methods for cross-cloud software migration and deployment |
US10341251B2 (en) * | 2014-03-14 | 2019-07-02 | Citrix Systems, Inc. | Method and system for securely transmitting volumes into cloud |
US20150381467A1 (en) * | 2014-06-25 | 2015-12-31 | Blazemeter Ltd. | System and method thereof for dynamically testing networked target systems through simulation by a mobile device |
US10250483B2 (en) * | 2014-06-25 | 2019-04-02 | Ca, Inc. | System and method thereof for dynamically testing networked target systems through simulation by a mobile device |
US20220086013A1 (en) * | 2015-12-23 | 2022-03-17 | Mcafee, Llc | Method and apparatus for hardware based file/document expiry timer enforcement |
US10375117B2 (en) | 2016-02-24 | 2019-08-06 | Qualcomm Incorporated | Apparatus and method for securely connecting to a remote server |
US10880334B2 (en) | 2016-02-24 | 2020-12-29 | Qualcomm Incorporated | Apparatus and method for securely connecting to a remote server |
US10091243B2 (en) | 2016-02-24 | 2018-10-02 | Qualcomm Incorporated | Apparatus and method for securely connecting to a remote server |
WO2018118418A1 (en) * | 2016-12-19 | 2018-06-28 | Arris Enterprises Llc | Secure provisioning of unique time-limited certificates to virtual application instances in dynamic and elastic systems |
US10432407B2 (en) * | 2016-12-19 | 2019-10-01 | Arris Enterprises Llc | Secure provisioning of unique time-limited certificates to virtual application instances in dynamic and elastic systems |
CN107357631A (en) * | 2017-07-17 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of method and apparatus and computer-readable recording medium for managing virtual machine key |
US11196735B2 (en) * | 2019-07-17 | 2021-12-07 | Microsoft Technology Licensing, Llc | Certificate management in segregated computer networks |
US11843706B1 (en) | 2019-11-19 | 2023-12-12 | Amazon Technologies, Inc. | Gradual certificate rotation |
US11362843B1 (en) * | 2019-11-19 | 2022-06-14 | Amazon Technologies, Inc. | Certificate rotation on host |
US11411925B2 (en) | 2019-12-31 | 2022-08-09 | Oracle International Corporation | Methods, systems, and computer readable media for implementing indirect general packet radio service (GPRS) tunneling protocol (GTP) firewall filtering using diameter agent and signal transfer point (STP) |
US11553342B2 (en) | 2020-07-14 | 2023-01-10 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating 5G roaming security attacks using security edge protection proxy (SEPP) |
US11751056B2 (en) | 2020-08-31 | 2023-09-05 | Oracle International Corporation | Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns |
US11825310B2 (en) | 2020-09-25 | 2023-11-21 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks |
US11832172B2 (en) | 2020-09-25 | 2023-11-28 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface |
US11622255B2 (en) | 2020-10-21 | 2023-04-04 | Oracle International Corporation | Methods, systems, and computer readable media for validating a session management function (SMF) registration request |
US11528251B2 (en) * | 2020-11-06 | 2022-12-13 | Oracle International Corporation | Methods, systems, and computer readable media for ingress message rate limiting |
US11770694B2 (en) | 2020-11-16 | 2023-09-26 | Oracle International Corporation | Methods, systems, and computer readable media for validating location update messages |
US20220182246A1 (en) * | 2020-12-07 | 2022-06-09 | Siemens Healthcare Gmbh | Providing a first digital certificate and a dns response |
US11671266B2 (en) * | 2020-12-07 | 2023-06-06 | Siemens Healthcare Gmbh | Providing a first digital certificate and a DNS response |
US11818570B2 (en) | 2020-12-15 | 2023-11-14 | Oracle International Corporation | Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks |
US11812271B2 (en) | 2020-12-17 | 2023-11-07 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns |
US11700510B2 (en) | 2021-02-12 | 2023-07-11 | Oracle International Corporation | Methods, systems, and computer readable media for short message delivery status report validation |
US11516671B2 (en) | 2021-02-25 | 2022-11-29 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating location tracking and denial of service (DoS) attacks that utilize access and mobility management function (AMF) location service |
US11811786B1 (en) * | 2021-04-02 | 2023-11-07 | Wiz, Inc. | Lateral movement analysis using certificate private keys |
US11811787B1 (en) * | 2021-04-02 | 2023-11-07 | Wiz, Inc. | System and method for detecting lateral movement using cloud access keys |
US11799874B1 (en) * | 2021-04-02 | 2023-10-24 | Wiz, Inc. | System and method for detecting lateral movement using SSH private keys |
US20230421573A1 (en) * | 2021-04-02 | 2023-12-28 | Wiz, Inc. | System and method for detecting lateral movement using ssh private keys |
US20240031376A1 (en) * | 2021-04-02 | 2024-01-25 | Wiz, Inc. | System and method for detecting lateral movement using cloud access keys |
US20240048566A1 (en) * | 2021-04-02 | 2024-02-08 | Wiz, Inc. | Lateral movement analysis using certificate private keys |
US11916926B1 (en) * | 2021-04-02 | 2024-02-27 | Wiz, Inc. | Lateral movement analysis using certificate private keys |
US11949690B2 (en) * | 2021-04-02 | 2024-04-02 | Wiz, Inc. | System and method for detecting lateral movement using SSH private keys |
US20240146743A1 (en) * | 2021-04-02 | 2024-05-02 | Wiz, Inc. | Lateral movement analysis using certificate private keys |
US11689912B2 (en) | 2021-05-12 | 2023-06-27 | Oracle International Corporation | Methods, systems, and computer readable media for conducting a velocity check for outbound subscribers roaming to neighboring countries |
US12015923B2 (en) | 2021-12-21 | 2024-06-18 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating effects of access token misuse |
Also Published As
Publication number | Publication date |
---|---|
US9485099B2 (en) | 2016-11-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9485099B2 (en) | Apparatus, systems and methods for agile enablement of secure communications for cloud based applications | |
US11018948B2 (en) | Network-based resource configuration discovery service | |
JP7203444B2 (en) | Selectively provide mutual transport layer security using alternate server names | |
US11811722B2 (en) | Method for processing cloud service in cloud system, apparatus, and device | |
US11063745B1 (en) | Distributed ledger for multi-cloud service automation | |
US9544188B2 (en) | System and method for webtier providers in a cloud platform environment | |
US20220121469A1 (en) | Managing virtual infrastructure resources in cloud environments | |
US11153297B2 (en) | Systems and methods to facilitate certificate and trust management across a distributed environment | |
US20180321993A1 (en) | System and method for management of deployed services and applications | |
US9843487B2 (en) | System and method for provisioning cloud services using a hybrid service management engine plugin | |
US8291490B1 (en) | Tenant life cycle management for a software as a service platform | |
US10419301B2 (en) | System and method for multitenant service management engine in a cloud platform environment | |
US11310208B1 (en) | Secure time service | |
US7634548B2 (en) | Distributed service deliver model | |
CA2911639A1 (en) | Instant data security in un-trusted environments | |
US11431720B1 (en) | Authentication and authorization with remotely managed user directories | |
US11418395B2 (en) | Systems and methods for an enhanced framework for a distributed computing system | |
CN113934550A (en) | Joint operation and maintenance device for edge computing network | |
US11424940B2 (en) | Standalone tool for certificate management | |
US20190258497A1 (en) | Template-based software discovery and management in virtual desktop infrastructure (VDI) environments | |
CN112514328B (en) | Communication system, provider node, communication node and method for providing virtual network functions to customer nodes | |
US10715318B2 (en) | Lightweight cryptographic service for simplified key life-cycle management | |
US20240241743A1 (en) | Registration and deployment of an agent platform appliance in a hybrid environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CLIQR TECHNOLOGIES, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FU, TIANYING;PARANJAPE, JAGADISH;REEL/FRAME:031625/0308 Effective date: 20131023 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CLIQR TECHNOLOGIES LLC;REEL/FRAME:043310/0258 Effective date: 20170809 Owner name: CLIQR TECHNOLOGIES LLC, DELAWARE Free format text: CHANGE OF NAME;ASSIGNOR:CLIQR TECHNOLOGIES, INC.;REEL/FRAME:043576/0311 Effective date: 20160419 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |